try.directtry.direct
Article preview image

Let’s Encrypt and Certbot | How to check SSL

SSL Certificates have become a modern necessity. Organizations operating online need to add them to their website for secure transactions and user information. They are also good at keeping cyberattacks at bay.

However, not many people are familiar with the ways to get an SSL certificate. And those who are, don’t know how to check their SSL certificate’s validity. All these small problems lead to major inconveniences.

This article aims to tell you more about Let’s Encrypt and Certbot and the most efficient method of checking the SSL certificates’ installation and validity.


Let’s Encrypt


Let’s Encrypt is a free and automated authority that provides TLS/SSL certificates to a compatible client. You can use them for data and communication encryption for your website users.

Let’s Encrypt is developed by the Internet Security Research Group (ISRG). The main purpose of these digital certificates is to enable HTTPS for websites at no cost.
On the other hand, the paid certificates’ market is quite vast.

Let’s Encrypt offers two types of certificates:

  • Standard Single Domain SSL
  • Wildcard SSL.

Both of them are issued for 90 days and renewed automatically after installation.


Benefits of Let’s Encrypt Certificates


These certificates are domain-validated and do not require a dedicated IP address. Let’s Encrypt provides a more straightforward way of receiving certificates. It does not involve any charges, email verifications, etc., and is fully automated. All you have to do is start the enrollment process.


Certbot


Certbot is a command-line client app that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF. It deploys the certificates to a web server after getting them It is an easy-to-use client that works in five simple steps:


  1. Install the Certbot, which is packaged in most Linux distro repositories.
  2. Run Certbot.
  3. Post-configure your web server if needed.
  4. Enable the Automatic Certificate Renewal.
  5. Restart the web server after the renewal.

These SSL/TLS certificates are deployed to your web server automatically. You can also set this process to fetch only the latest version by using Certbot-auto.

Another well-known term related to Certobot is the Webroot Certbot. It works by assigning public availability to a folder. The name Webroot comes from the procedure behind this plugin: the client places the file and pings a server to fetch it. You have to specify the web-serving root during the process.
All the issued certificates can be found in:


/etc/letsencrypt/live/$domain

Benefits of Certbot


  1. It is free.
  2. It provides a command-line interface, good with HTTP website with port 80 open.
  3. You can choose from various servers, including virtual private server, dedicated server, and cloud-hosted server, accessible with SSH.
  4. All of the Certbot certificates are auto-renewable after every 60 days.

The Best Ways to Check if an SSL Certificate is Installed and Valid


Unix/Linux users


Method 1:

The first method includes a Linux command line.

You have to start with the verification status code. It shows whether the certificate is installed or not. The verification code “0” means the process was successful.
However, if you see “20” as status, the certificate is not configured correctly. You will also get an error: ‘unable to get local issuer certificate.’
Next, check your certificate’s path using the command line below. It will help you find out whether it is valid or not.


$ openssl s_client -connect www.yourwebsite.tld:443

You will get the location as -CApath /etc/ssl/certs/

If you have a single file, use:


$ openssl s_client -connect www yourwebsite.tld:443 \

The path will be shown as: -CAfile /etc/ssl/certs/ca-certificates.crt

You will see the option to verify the hostname with the result. “0” status code means the verification was successful. If there’s an error, you will get a return code: 62, along with the error ‘Hostname Mismatch.’

Sometimes, you will also see the option to verify a certificate that has been issued to an IP address instead of a hostname. For this, you will need to use –verify_ip switch. It will check the IP address and show the successful results.


Windows users


Method 2:

Follow the steps below:

  1. Go to Run.
  2. Start certlm.msc
  3. Open Certificates Local Computer

Here, you will see a list of certificates. These are the ones listed in the store. Navigate through the legitimate ones to find out which of them are installed.
Though seeming simple, this method is very time-consuming.


Method 3:

Follow the steps mentioned below:

  1. Start with going to sigcheck and Press Download.
  2. After the downloading process is finished, install the application.
  3. Start Run, and Enter command sigcheck –tv.

The Sigcheck tool downloads the trusted Microsoft root certificate list. You can see the valid certificate there. It is also easy but time-consuming as you have to download and install the application.

You can download any tools and applications to check your certificates instantly. However, some of them might not work properly or are not licensed.
The ones we mentioned above are trusted worldwide, but the most preferred way still is to use the Linux command line. It will help you view the address of your certificate and will visualize the correct installation and validation.


Check SSL certificates online


https://www.sslshopper.com/ssl-checker.html

https://www.digicert.com/help/


More info


https://serverfault.com/questions/589590/understanding-the-output-of-openssl-s-client

https://stackoverflow.com/questions/24992976/openssl-telling-certificate-has-expired-when-it-has-not

https://community.letsencrypt.org/t/problem-with-certificate-has-expired/161013/2