Web Server Rescue
Read-only, sensitive outputCheck the Certificate Served for SNI
You need to prove which certificate an edge returns for a specific SNI hostname.
Command
openssl s_client -connect 203.0.113.10:443 -servername wrong.edge.test </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltNameBefore you run this
System impact: Read-only. Output may expose users, paths, tokens, keys, IPs, process arguments, or log details.
When not to use it: Do not omit -servername when testing hostname-specific TLS behavior.
Expected output
The certificate identity fields selected by the requested SNI name.
System impact
Read-only, sensitive output. Nothing changes. The command performs a read-only TLS handshake with an explicit server name.
Recovery / rollback: no state is changed.
When to use it
Use when the same IP serves multiple sites or a CDN returns the default certificate.
When not to use it
Do not omit -servername when testing hostname-specific TLS behavior.
Watch this command run
Command transcript
This sanitized transcript shows the commands and output shape without exposing host details.
$ openssl s_client -connect 203.0.113.10:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
subject=CN = example.com
X509v3 Subject Alternative Name:
DNS:example.com, DNS:example.com$ openssl s_client -connect 203.0.113.10:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
subject=CN = example.com
X509v3 Subject Alternative Name:
DNS:example.comView commands shown
These are the commands shown in the sanitized transcript.
Commands shown
openssl s_client -connect 203.0.113.10:443 -servername edge.test </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltNameopenssl s_client -connect 203.0.113.10:443 -servername wrong.edge.test </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
next steps
Related commands
Show TLS Certificate Names
The cert was valid, but not for this hostname.
openssl s_client -connect edge.test:443 -servername edge.test </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
Show TLS Certificate Dates
The outage was not the web server. The edge certificate had expired.
openssl s_client -connect edge.test:443 -servername edge.test </dev/null 2>/dev/null | openssl x509 -noout -dates
Show TLS Protocol and Cipher
The certificate was fine. The TLS negotiation told the rest of the story.
openssl s_client -connect edge.test:443 -servername edge.test </dev/null 2>/dev/null | awk '/Protocol|Cipher|Verify return code/ {print}'
Find Large Directories with du
Once you know a filesystem is full, the next question is where.
du -xh --max-depth=1 /var 2>/dev/null | sort -h
Smoke Check an HTTP Status
A deploy is not done until the endpoint answers.
curl -fsS -o /dev/null -w '%{http_code} %{time_total}s\n' https://example.com/health
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Useful for
- LPIC-1 style command-line practice
- LFCS style performance tasks
- Linux+ style troubleshooting review
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.