Certificate Troubleshooting
openssl tls certificates troubleshooting
Quick Diagnosis Commands
View Certificate Details
# From file
openssl x509 -in cert.pem -text -noout
# From remote server
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -text -noout
# Just the dates
openssl x509 -in cert.pem -noout -dates
# Just the subject/issuer
openssl x509 -in cert.pem -noout -subject -issuerCheck Certificate Chain
# Show full chain from server
openssl s_client -connect example.com:443 -servername example.com -showcerts
# Verify chain against CA bundle
openssl verify -CAfile ca-bundle.crt cert.pem
# Verify with intermediate
openssl verify -CAfile root.pem -untrusted intermediate.pem cert.pemCheck Key/Cert Match
# These should output the same modulus hash
openssl x509 -in cert.pem -noout -modulus | openssl md5
openssl rsa -in key.pem -noout -modulus | openssl md5
# Or for EC keys
openssl x509 -in cert.pem -noout -pubkey | openssl md5
openssl ec -in key.pem -pubout 2>/dev/null | openssl md5Common Errors and Fixes
Certificate Expired
error 10 at 0 depth lookup: certificate has expired
Diagnosis:
openssl x509 -in cert.pem -noout -dates
# Look for notAfter dateFix: Renew the certificate
Hostname Mismatch
SSL: certificate subject name 'www.example.com' does not match target host name 'example.com'
Diagnosis:
# Check Subject and SANs
openssl x509 -in cert.pem -noout -text | grep -A1 "Subject:"
openssl x509 -in cert.pem -noout -text | grep -A1 "Subject Alternative Name"Fix:
- Request certificate with correct SANs
- Include both
example.comandwww.example.com
Untrusted/Self-Signed Certificate
error 18 at 0 depth lookup: self-signed certificate
error 19 at 1 depth lookup: self-signed certificate in certificate chain
error 20 at 0 depth lookup: unable to get local issuer certificate
Diagnosis:
# Check issuer
openssl x509 -in cert.pem -noout -issuer
# Check if root CA is in trust store
openssl verify -CApath /etc/ssl/certs cert.pemFix:
- Add CA to system trust store
- Provide correct CA bundle with
-CAfile - For internal CAs: distribute root CA to clients
Certificate Chain Incomplete
error 21 at 1 depth lookup: unable to verify the first certificate
Diagnosis:
# Check what chain server sends
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | grep -E "^ [0-9]+ s:|^ +i:"Fix:
- Concatenate intermediate certs into chain file
- Order: leaf cert → intermediate(s) → (optionally) root
cat server.crt intermediate.crt > fullchain.pemKey Mismatch
error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Diagnosis:
# Compare modulus hashes
openssl x509 -in cert.pem -noout -modulus | openssl md5
openssl rsa -in key.pem -noout -modulus | openssl md5Fix: Use the correct private key that matches the certificate
Wrong Key Type
unable to load Private Key
Diagnosis:
# Check key format
head -1 key.pem
# Should show -----BEGIN RSA PRIVATE KEY----- or -----BEGIN PRIVATE KEY-----
# Check if encrypted
grep ENCRYPTED key.pemFix:
# Convert PKCS#8 to traditional RSA
openssl rsa -in pkcs8.key -out traditional.key
# Decrypt encrypted key
openssl rsa -in encrypted.key -out decrypted.keyCertificate Chain Order
Correct order for fullchain/bundle files:
┌─────────────────────┐
│ Leaf/Server Cert │ ← Your certificate (CN=example.com)
├─────────────────────┤
│ Intermediate CA 1 │ ← Signs the leaf cert
├─────────────────────┤
│ Intermediate CA 2 │ ← Signs Intermediate CA 1 (if exists)
├─────────────────────┤
│ Root CA │ ← Usually NOT included (clients have it)
└─────────────────────┘
Build a chain:
cat server.crt intermediate.crt > fullchain.pem
# Verify the chain
openssl verify -CAfile root.pem fullchain.pemFormat Conversions
| From | To | Command |
|---|---|---|
| PEM | DER | openssl x509 -in cert.pem -outform DER -out cert.der |
| DER | PEM | openssl x509 -in cert.der -inform DER -out cert.pem |
| PEM | PKCS#12 | openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem -certfile chain.pem |
| PKCS#12 | PEM | openssl pkcs12 -in cert.pfx -out all.pem -nodes |
| PKCS#7 | PEM | openssl pkcs7 -in cert.p7b -print_certs -out cert.pem |
Testing TLS Connection
Basic Connection Test
# Test connection and show cert
openssl s_client -connect example.com:443 -servername example.com
# Test specific TLS version
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3
# Test with client cert
openssl s_client -connect example.com:443 -cert client.pem -key client.keyCheck Supported Ciphers
# List server's preferred cipher
openssl s_client -connect example.com:443 2>/dev/null | grep "Cipher is"
# Test specific cipher
openssl s_client -connect example.com:443 -cipher 'ECDHE-RSA-AES256-GCM-SHA384'Quick Reference: Error Codes
| Error | Meaning |
|---|---|
error 10 | Certificate expired |
error 18 | Self-signed certificate |
error 19 | Self-signed cert in chain |
error 20 | Unable to get local issuer |
error 21 | Unable to verify first cert |
error 27 | Certificate not yet valid |
error 62 | Hostname mismatch |