Server Name Indication, DNS & SSL Certificate Troubleshooting Guide Using OpenSSL and DIG

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

foreign [Music] systems and stop me if you've heard this before the problem was DNS and this problem has gone and plagued us for many years because DNS keeps getting a little bit more complex in its relationship to especially proxies and websites and certificates I just did a video on ha proxy and that video you'll find linked down below that is specific to PF sense and H a proxy but I wanted to do a broader topic here because with that video came the questions and the troubleshooting of the relationship between DNS and Sni and what Sni is server name indication is a more recent thing well it's been around for a while but maybe not everyone understands it completely and it's extremely related to DNS in the before times before the adoption of Sni if you wanted to host multiple secure websites each with its own certificate on a single server each website would typically require its own unique IP address and some people still think that's the case but SN I solved that problem with Sni during the initial handshake process that client specifies the host name of the server it's trying to connect to this allows the server to choose the appropriate certificate to present to the client this makes it feasible to host multiple encrypted websites on the same server with the same IP address each with its own unique certificate as long as your DNS works that is the important part because the Sni the fully qualified domain that you may have in your url of your browser is going to talk to the server and then it's going to present that fully qualified domain and the server should then respond with the proper certificate or proper Wild Card certificate and that's what I covered in my video was wildcard search with let's encrypt means you can match based on anything before a certain level of subdomain and there's a few tricks to actually sorting out when there's a problem with this and that's what this video is about is how to sort that out how to use the tools and I want to walk through the process of that of looking it up using dig and openssl and you'll find those commands linked down below over in a forum post you can just copy and paste them I will be doing this in Linux if you would like to follow along but you're not using Linux you can load Windows subsystem for Linux on a Windows system and if you have mac this should work from the command line but I'm much less familiar with Mac but nonetheless you could always SSH into some Linux machine these are pretty just common base utilities that you'll find in a Linux system let's get started with the demo here so we can show you how to run these commands and how to look up that your DNS is set up properly and that you're getting the right certificate now everything's time indexed down below but I will start right here just to bring up the process that a system goes through and where you do or don't need an entry and what a fully qualified domain name or a root domain or a top level domain is so here's our subdomains and we'll be talking about these which you can have more than one we have Dozer dot Studio those are the extended some domains of lawrencesystem.com which is the domain name of the top level domain is.com and if you're thinking there's an S missing either one of these go to my website launch system or launch systems within sn.com there's a redirect that sends you over to the right place but when you have these set up and we have a client and we have it behind our PF sense which happens to be running DNS for our demo lab that we have set up here if it looks up launchssystem.com it'll find that it doesn't have an entry and then it goes out to the internet it looks up the public records available for that and you can look them up too and it's going to head over to the web server and serve up a website now we have an entry locally for this to get our proxy working and if we go over to the internal version we have dozer.studio.lorentsystems.com and we've put an entry in our PF sense there is no public entry for this so there's no reason to go out to the internet it'll stop right here and serve up the ha proxy and this was in my demo the other day was how to set up AJ proxy and how to have the DNS point to it so this gives us a way to have a domain and we have a wildcard certificate attached to this ha proxy instance so dozer.studio.lorancesystem.com comes here and then it actually goes to our true Nas and that's just going to go so the true Nas which has its own self-signed certificate is then talking to HK proxy which has a wild card certificate for anything.studio.learnsystems.com and by doing this sometimes where people get confused is well it's not responding but I'm not sure why it's not responding or can I do it from the command line so I can see the messages and do that SN I and see what actually is getting pumped out of that proxy and yes that's what we're going to talk about next is the those entries now because this is going to be used in our example I will mention that we do have a host override in here to get our ha proxy working internally but we're also going to talk about this can work externally this is not specific to ha proxy the Dozer dot studio.lorancesystem.com has an entry of 172 1616.1 this is going to redirect this particular query to this local internal server which happens to be running aha proxy and that's the goal is to make sure that that is serving up the proper certificate so this will work I do have another video linked down below covering host overrides and pfSense and how to manage DNS but I'm not going to get any further than that and the pfSense side let's jump right over to the tools now we're going to start with an external example First Tool we want to use is dig so we're going to go dig google.com and we want to know what the a record is for Google turns out it's 172-217 1.110 may be different for you Google actually has multiple entries for this they respond regionally but that's not the detail that matters we want to know what certificate will be served up if we talk to this server directly so let's go ahead and clear the screen and walk you through the openssl command openssl as client and server name this is that Sni request this is saying Hey what if we had google.com in our browser and we want to talk to that host that was the DNS response and we want to talk to it on 443 the default Port that serves up secure certificates so we're going to ask this question and when we query it we get a lot of data let's go ahead and scroll up and well we're going to scroll very far we can look right here to the subject matter of fact you can see all of it it's giving the certificate the handshake it'll have the TLs information in here but let's go ahead and parse this to make a little bit easier to read we're just going to grip for the subject because that's the part that matters and we focus on the subject here and this will match anything.google.com which also means if we were to try to go to google.com it would be valid and if we had any other domain.google.com it will also be valid at least for the certificate we don't know if there's actually a website that it will respond to if we put any other I'm going to guess though that this one will work for sure if we put a www there and that actually works matter of fact this is how you know they don't have a wild card for star.google.com which is wildcard they have a specific entry certificate just for google.com that's why there's no wild card it's just for www matter of fact if we were to put another one that I know is valid such as mail.google.com they actually do have a certificate it serves up for that off that same address now let's take a look at our example domains we're going to go dig studio.lorentsystem.com and we see that it is properly responding because we have that entry in there for that local address but what if we got rid of the Dozer and we just looked up studio is there an entry there is not there's nothing because there doesn't need to be unless I wanted Studio to go to something but I don't need to I was just using that as a wild card so if we go back here to dozer.studiolearnsystems.com we see that we have an entry something of note the way dig works is you can also add an at symbol into a external domain server because by default dig is going to use the domain server that is the default domain server for the system that you're on in my case my default domain server is the EPF sent system in this case we told it to reach out to 111 or cloudflare's DNS which Cloud pair doesn't have an entry for dozer.studio.loritesystem.com but we can actually truncate this down and of course there is a public entry for this each one of these entries each one of these a records can be separate now let's get back to this one right here we just want to make sure we have this and let's run that openssl command to see what certificate is being served up from this request all right so now we're going to run our open SSL client and the server name of dozer.studio.lorentsystem.com host 172 1661 our ha proxy host because we want to know what certificate we're going to get and we can see right here if we go look at the subject we're going to get a wild card for anything.studio.lorancesystem.com so it is properly giving me the wildcard cert that I should expect which means that domain would be valid now we can query this in different ways because I actually have another server running on another Port so if we change this up to 0.2 1313 1 which is a another instance and we wonder if this is available this is actually going to return something that's not valid so if we go here we're requesting it but this one serves up this certificate ltsdemo.work which would be invalent but it will actually get a handshake we'll just get the invalid error and it'll be a bit confusing and this is a way to check to make sure I'm getting the proper certificate from each one of these servers so I know that this will not match because the wild card is not matching and it's also not a specific match and that's all you need to do the troubleshooting is those two tools and you're probably thinking could I just put it in the browser the problem is browsers cache things this can be very challenging to your psyche when you have made a change and then refreshed the page and it didn't give a different message matter of fact seems to give the same message that you had before you think was my change not applied well I bypassed that troubleshooting by going right to The Dig and open SSL tools because I want to know the answer before I open a browser and because those tools do not cache it all of your changes are reflected in real time if you do a dig and you don't have a DNS entry your problem is DNS figure out why there's no DNS entry and walk through my DNS video if you're using pfSense to understand how DNS entry and host overrides work if you're having trouble with AJ proxy watch my AJ proxy video because if it serves up the wrong certificate and you're expecting cert a and it gives you cert B you know just to look for cert B within your configuration and swap it to be the proper responding search Once you know those match then you pop it in the browser and just double check and confirm things also take a look at the expiration date because that is the final one I maybe didn't mention but but also sometimes happens when someone has a old certificate and they think everything matches and it still gives a error that there's an SSL problem and that problem is probably just expired at that point so do check the dates on those certificates love hearing from you leave your thoughts and comments down below head over to my forums for a more in-depth discussion on this or other topics I talk about on my channel like And subscribe and that Thumbs Up Button really does help the YouTube algorithm let you know you like the video and let other people know that they may want to watch it if you want to connect with me on the socials you'll find whatever social media I'm connected to at the time you're watching this video over on Lawrence systems.com and thanks [Music] thank you [Music]

Info

Channel: Lawrence Systems

Views: 11,934

Rating: undefined out of 5

Keywords: LawrenceSystems, SNI, DNS & SSL, server name indication, transport layer security (protocol), ssl certificates, ssl certificate, self signed certificate, what is sni, what is server name indication

Id: Z8Xw76hry4o

Channel Id: undefined

Length: 11min 42sec (702 seconds)

Published: Wed Aug 16 2023