Show all certs on a server

Hi all,

does anyone know a neat trick how to show all certificates installed on a server? There is nothing for that on Nodeworx, right? This would be a helpful feature for Nodeworx, e.g. similar to all the websites shown under Server - IP Management it would be great if we could see all certificates somewhere.

But until then, does anyone know how to quer this e.g. via CLI?

Cheers,

Michael

Hi Michael
Good question, and I believe your correct, no option to show SSL been used on which domains.
I think there is no valid way to determine if a SSL cert has expired, but not been deleted/removed to those that have a valid SSL cert. So this complicates matters on compiling a list of domains with valid SSL certs
Thankfully, this task is made easier though, as you can run the below to log domains with a crt (certificate), but no way of knowing if valid SSL cert or not I’m afraid.
I tried this on a test server, and it listed only those test domains with SSL.
Hopefully, another user may have a more elegant method then my simple find command.
Many thanks
John
SSH into server
run as root
find /home -name “*.crt” > log
view log

Not a list, but you could see this on the NodeWorx “System IPs.”

You hover over the certificate icon and shows you which domain it’s attached to.

EDIT: I just noticed you referenced this, so maybe not what you’re looking for, but it is a quick way to check this.

Hi Justin

Good call. However, I thought this just shows the alphabetical listed SSL only

I think it’s showing the SSL on the IP address and not all through SNI

I checked yesterday on one of our live servers, and the only listed SSL was 1sh

Many thanks

John

Hi Justin,

that would be one place to list them all, if IW decided to addd this as a feature. Right now it only shows one certificate there (Edit: and John just beat me to it), even when many more are installed on several accounts.

John, your find command helps for the time being, thank you very much. I didn’t even think about to look up whether the certs are still valid or not. Great idea! Put those two things together and we got ourselves a nice feature request:

IW, please implement a feature, where Nodeworx will list all installed SSL certificates and the account/domain it is installed to and also until when it is valid. I even designed this for you :wink:

Better quality: https://cloud.deinhardt.com/index.php/s/h9EuKoNDsVcIZml

Cheers,

Michael

Hi Michael

Wow, that looks lovely

Is it just a picture or have you created the whole module

If the latter, I would love to have it

I believe there is a way to check if cert is valid or not, but it is slightly in depth and runs singularly on each domain separately. Just not sure if it could be bash scripted

Many thanks

John

HI John,

hehe, only an image, I am afraid. I do designs and concepts, but without indepth programming skills this is way above my head :wink:

Hi Michael

Dam, sorry but your a talented designer

Many thanks

John

Yeah, I just started using SNI, so didn’t even think of that. I’m offering more SSL options to my clients now because of that, even if they don’t have an ecom site. Using less expensive SSL certificates that work great for non ecommerce sites. Just a good idea with SNI and a lot of wordpress sites now a days to protect that dashboard login.

I have a new thought on this for a work around.

Based on some SNI issues discussed here: http://forums.interworx.com/threads/8604-SNI-issue-on-shared-IP-with-non-SSL-sites

So I decided to move all my SNI sites to one special shared IP.

So I have the following setup:

  • 1 main shared IP for non-SSL sites
  • 1 SNI shared IP for only sites with SSL
  • 2+ dedicated IPs for sites using dedicated currently

Now when going into the IP view in NodeWorx I can click the Globe under status and it will give me a list of all my SSL domains (using SNI). For dedicated ones you can just hover over the certificate.

Hi Justin,

I had the same idea and it works lovely at first. But more and more customers are switching over to https (as they should) and in order to make that happen, you have to migrate the whole account to the SNI IP first. It happened to me more than once that I set up a new certificate only to find it is not working. And then it always hits me: Damn, need to move the site/account to the other IP first… only one SNI IP possible afaik.

What is more, I have not yet found a way to do this without interrupting the availabilty of the site. Simply assigning the other IP and switching to it makes it unuseable until DNS has propagated. Sure I can time the change for the night, but more and more customers expect their site to be availale 24/7 (and they’re right).
I planned to toy with setting up DNS first (two A records to the old and the new IP) - but as always in business/live I haven’t found the time yet and usually when I I think of it is when a customer asks to have a new certificate right away - so no time for experiments :wink:

On the other hand I am moving more and more into VPS where I usually only have one NATed intenal IP, so I can’t do the SNI IP and non-SSL IP thing there anyway, so I am kinda moving away from it again.

Cheers,

Michael

Hi Michael and Justin

I still like the idea of Michael picture for displaying SSL

Many thanks

John

Me too, so let’s sell it to IW :wink:

John, I agree, but since this is more of a nice thing to have versus a core feature, I’m sure it will be some time before this gets completed, if it’s even on the radar at this point.
So I’m thinking in the work around world :slight_smile:

Well technically, there is no need to move it back while the SSL is being fixed. There is not “hard” requirement for it to be on any specific IP by the system, it’s more for the admin to keep things organized.

[QUOTE=mdeinhardt;29605]What is more, I have not yet found a way to do this without interrupting the availabilty of the site. Simply assigning the other IP and switching to it makes it unuseable until DNS has propagated. Sure I can time the change for the night, but more and more customers expect their site to be availale 24/7 (and they’re right).
I planned to toy with setting up DNS first (two A records to the old and the new IP) - but as always in business/live I haven’t found the time yet and usually when I I think of it is when a customer asks to have a new certificate right away - so no time for experiments :wink:
[/quote]
I just set my DNS to 5 min TTL and the switch over happens fast! The other thing you can do is manually edit the vhost file and add both IPs. NodeWorx doesn’t allow you to do this, you can switch IPs in NodeWorx, but only one in the vhost at a time.

Where 11.11.11.11 is the current IP and 22.22.22.22 is the new IP.

<VirtualHost 11.11.11.11:443 11.11.11.11:80>

becomes

<VirtualHost 22.22.22.22:443 22.22.22.22:80 11.11.11.11:443 11.11.11.11:80>

After it’s all said and done, it would make sense to update it through NodeWorx, which will keep the NodeWorx database in sync with the underlying vhost file, plus it will remove the old IP you no longer need in there.

Hi Justin,

Well technically, there is no need to move it back while the SSL is being fixed. There is not “hard” requirement for it to be on any specific IP by the system, it’s more for the admin to keep things organized.

Not sur if I understood you correctly, but if you have a dedicated IP for SNI, you can’t install a SSL certificate on any other shared IP.

Lowering the ttl also takes time until it propagated, but after that the switch is fast, thats true. I have the experience though that some DNS servers don’t follow the TTL and cache entries much longer, so someone somewhere might get an error when browsing to the website in question.

But the vhost idea is compelling, will try that.

But all in all my tendency is still to simplify things again, one IP to rule them all :wink:

When I find time, I will run Johns find command, note all certs down and then move forward. It’s not that many (yet) so I am fine with that.

But the whole feature might be becoming more important as we get more and more certs, so it is something IW might be interested in too.

Cheers,

Michael

What I mean is SNI runs on Apache, not an IP address. So any site on any shared IP address on your server can run with SNI. I just decided to move them onto one IP to avoid a non-SSL site being accessed by https and then defaulting to the first SSL site vhost, showing incorrect content for the domain name being accessed (make sense?). If all the sites on a shared IP have SSL, then that can’t occur.

But then I realized adding a special vhost file, kind of like a catchall, I was able to grab any non-SSL sites on https and redirect back to that same site on http, avoiding a site mismatch. So technically at this point I could mix all my SNI HTTPS sites and HTTP sites on one IP with that in place, but since I already moved them I’m going to leave them as is.

Yeah, if you don’t just leave it at 5 mins all the time, you’d have to make that change to 5 mins, then wait whatever the previous timeout was. Plus, like you said, some bad DNS cache stuff themselves like you said, longer than the TTL time.

I fully understand what you’re saying, but I have never gotten a ssl certificate to work on any other IP than the one I have dedicated to SNi, so I assumed this is some limitation.

How did you setup your SNI? For me, I just started using it this year. All I did was enable it in NodeWorx Settings and it applies to the whole server. Basically there wasn’t anything I needed to do, except add a SSL Certificate to a domain.

The only time I would guess SNI headers wouldn’t be sent out is if an IP is static, not a name virtual host. Then maybe SNI stuff isn’t sent because it’s not needed?

Hi Justin and Michael

I believe Justin is correct as above

If static non shared ip, only 1 ssl can be assigned and SNI would not be involved

If shared ip - any number of ssl can be setup and SNI is involved

I am thinking there maybe some misunderstanding of Justin term dedicated ip for ssl - which I believe Justin meant a shared IP address which is only used for ssl and another shared ip only used for non https

I’m sorry if I’m wrong

Also, google and some browser are alerting users of no https is available or used, more so when accessing login pages etc… and I believe google Seo is not scoring websites highly as it once did, if not accessed by https

Many thanks

John

Good catch, I probably should have been more clear.

Right now I have X number of Dedicated IPs (don’t remember the exact number) and then I have 2 system IPs setup as Shared.

The 2 IPs that are Shared can both run SNI, but I have moved all my SNI websites onto 1 of the Shared IPs and left the other Shared IP with just HTTP (non-SSL) sites.
This was to avoid a situation where you could go to https://site1.com (site1 does not have SSL installed) and then it shows webpages from site2.com (which is setup for SSL and happens to be the “default” SSL that comes up by how it comes up in Apache config.

Since all IPs on the “SNI Shared IP” are dedicated there could be no mixing.

I’ve also setup a SSL “catch all” custom vhost for the non-SNI Shared IP. After doing that, I realize I could have had all my SNI Sites on the same shared IP with the non-SSL sites with this vhost in place, but I’ve decided to leave it separate. One benefit is when I click the globe on the Shared IP I used for SNI sites, I can get a quick glance of all websites that are running SSL.

From what I’ve read about Google is you get a slight boost in rank if you put your full site (not just login pages, etc., but EVERYTHING) into SSL mode. There isn’t a negative impact right now, but if you are tied with someone else on a keyword for 1st rank, this would give you the edge. Not sure if they also give more boost in rank if you go into HSTS mode, as far as I know they don’t.