Join Log in
Score:0
avatar Server

Log the ssl certificate that apache is using for each SSL connection, for enhanced loging & debugging

bg flag
Amandasaurus

I have an apache web server, with mod_ssl & SSL certificates from letsencrypt. certbot reports they are fine and not expiring. A few different (of my many users) report that they get invalid/expired SSL certs from the server (and I have see output from wget from them to prove that).

To debug this, I want to log lots of details of each SSL connection. I would like to log, for each SSL connection the remote IP, and details about the SSL connection (e.g. protocol), the client provided SNI (server name identification) value, and then what SSL certificate/chain/key on the server was used. I want to

With ErrorLog ssl:traceN (for various N) I can get some of these details. But I cannot see what SSL certificate the server is using for each connection. How can I do this?

182
0 + 0
ssl
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
`wget` is not the best way to check certificate. Learn how to use `openssl s_client` tool, which was designed just for SSL/TLS debugging purposes.
0
Reply
bg flag
Amandasaurus
I am not using `wget` to check the SSL cert. I do use `openssl s_client` for monitoring. However some of my users are using `wget` to download files, and they encounter this error, and have emailed me the terminal output.
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
It could well be their `wget` uses old `ca_certificates` database which doesn't include the new Let's Encrypt root certificate or some others. That's why their wget complains. If that's the case, you can't do and shouldn't do anything, it is their side which must be fixed.
1
Reply
Score:1
avatar Server
in flag
Lacek

mod_ssl exports a bunch of environment variables (see the list here), which can be used to log info about the certificate, for example, in a LogFormat directive like this:

LogFormat "cert_CN='%{SSL_SERVER_S_DN_CN}e', cert_expires='%{SSL_SERVER_V_END}e', vhost='%{Host}i', client='%h'" ssl_combined

However, before you start logging, be sure you check this article about expiring the DST Root CA X3 certificate. It is the one which signed the root CA of Let's Encrypt, and it has expired in September. However, the root CA of Let's Encrypt is accepted as a trusted CA in itself by virtually every system. For this, the expiration is not a problem, and the issued certificates continue to work, except for older systems using openssl version < 1.1.0, which does not stop the validation when a trusted CA found, but insists to check the whole chain (and fails).

If the system in question has an older openssl, you can do nothing about the problem on the server side, openssl should be upgraded on the client. If that is not an option, blacklisting the expired certificate helps.

0 + 0
bg flag
Amandasaurus
yes, I wonder if the letsencrypt cert change is relevant here
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Again, if the old openssl or old ca_certificates problem exists on the client, nothing you can do on the server side. Educate your users, explain them why using outdated software is bad, why updates are necessary.
1
Reply
bg flag
Amandasaurus
Yes I presume it's LE's change. But I want to be 100% sure.
0
Reply
Score:1
Nikita Kipriyanov avatar Server
za flag
Nikita Kipriyanov

Apache HTTPD's mod_ssl sets various environment variables, some of which could be used to identify the server certificate. For example, there are SSL_SERVER_CERT (a complete PEM-encoded cert), SSL_SERVER_S_DN (a DN of the subject), SSL_SERVER_M_SERIAL (a cert serial number).

You can use them in the logging configuration:

CustomLog "logs/ssl_request_log" "... %{SSL_SERVER_S_DN}x ..."

Read mod_ssl manual for details.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.