Web Server Rescue
Read-only, sensitive outputShow TLS Certificate Dates
Browsers or monitors report a certificate problem, and you need to read the validity dates from the certificate the edge actually serves.
Command
openssl s_client -connect edge.test:443 -servername edge.test </dev/null 2>/dev/null | openssl x509 -noout -datesBefore you run this
System impact: Read-only. Output may expose users, paths, tokens, keys, IPs, process arguments, or log details.
When not to use it: Do not inspect local certificate files when the question is what users receive from the live edge.
Expected output
`notBefore` and `notAfter` dates from the served certificate, not merely from a file on disk.
System impact
Read-only, sensitive output. Nothing changes. The command performs a read-only TLS handshake and prints the served certificate dates.
Recovery / rollback: no state is changed.
When to use it
Use when browsers report expiry, monitoring says TLS is invalid, or a deploy may have left the edge serving an old certificate.
When not to use it
Do not inspect local certificate files when the question is what users receive from the live edge.
Watch this command run
Command transcript
This sanitized transcript shows the commands and output shape without exposing host details.
$ openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | sed -n '1,8p'
CONNECTED(00000003)
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Verify return code: 0 (ok)
-----BEGIN CERTIFICATE-----
FIXTURE-edge
-----END CERTIFICATE-----$ openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates
notBefore=Jun 1 00:00:00 2026 GMT
notAfter=Aug 30 23:59:59 2026 GMTView commands shown
These are the commands shown in the sanitized transcript.
Commands shown
openssl s_client -connect edge.test:443 -servername edge.test </dev/null 2>/dev/null | sed -n '1,8p'openssl s_client -connect edge.test:443 -servername edge.test </dev/null 2>/dev/null | openssl x509 -noout -dates
next steps
Related commands
Show TLS Certificate Names
The cert was valid, but not for this hostname.
openssl s_client -connect edge.test:443 -servername edge.test </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
Check the Certificate Served for SNI
The IP was right. The SNI name selected the wrong certificate.
openssl s_client -connect 203.0.113.10:443 -servername wrong.edge.test </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
Show TLS Protocol and Cipher
The certificate was fine. The TLS negotiation told the rest of the story.
openssl s_client -connect edge.test:443 -servername edge.test </dev/null 2>/dev/null | awk '/Protocol|Cipher|Verify return code/ {print}'
Smoke Check an HTTP Status
A deploy is not done until the endpoint answers.
curl -fsS -o /dev/null -w '%{http_code} %{time_total}s\n' https://example.com/health
Compare Authoritative Nameserver Answers
The recursive resolver was not the problem. One nameserver disagreed.
for ns in $(dig +short NS edge.test); do printf '%s ' "$ns"; dig @"$ns" +short edge.test A; done
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Useful for
- LPIC-1 style command-line practice
- LFCS style performance tasks
- Linux+ style troubleshooting review
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.