$ Linux One Liners
Back to commands

Web Server Rescue

Read-only, sensitive output

Show TLS Certificate Names

The certificate is unexpired but users still see a hostname warning, so you need to inspect the served subject and SAN names.

Command

openssl s_client -connect edge.test:443 -servername edge.test </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName

Before you run this

System impact: Read-only. Output may expose users, paths, tokens, keys, IPs, process arguments, or log details.

When not to use it: Do not rely on the common name alone. Modern clients validate SAN names, and SNI can change which certificate is served.

Expected output

Certificate subject plus `subjectAltName` entries, where the hostname users type should appear.

System impact

Read-only, sensitive output. Nothing changes. The command performs a read-only TLS handshake and prints certificate identity fields.

Recovery / rollback: no state is changed.

When to use it

Use when browsers report a hostname mismatch, a CDN serves the wrong certificate, or apex and `www` behave differently.

When not to use it

Do not rely on the common name alone. Modern clients validate SAN names, and SNI can change which certificate is served.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject

subject=CN = example.com
X509v3 Subject Alternative Name:
    DNS:example.com, DNS:example.com

$ openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName

subject=CN = example.com
X509v3 Subject Alternative Name:
    DNS:example.com, DNS:example.com
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. openssl s_client -connect edge.test:443 -servername edge.test </dev/null 2>/dev/null | openssl x509 -noout -subject
  2. openssl s_client -connect edge.test:443 -servername edge.test </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName

next steps

Related commands

Web Server Rescue Sensitive output

Check the Certificate Served for SNI

The IP was right. The SNI name selected the wrong certificate.

openssl s_client -connect 203.0.113.10:443 -servername wrong.edge.test </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
Web Server Rescue Sensitive output

Show TLS Certificate Dates

The outage was not the web server. The edge certificate had expired.

openssl s_client -connect edge.test:443 -servername edge.test </dev/null 2>/dev/null | openssl x509 -noout -dates
Web Server Rescue Sensitive output

Show TLS Protocol and Cipher

The certificate was fine. The TLS negotiation told the rest of the story.

openssl s_client -connect edge.test:443 -servername edge.test </dev/null 2>/dev/null | awk '/Protocol|Cipher|Verify return code/ {print}'
Web Server Rescue Read-only

Show the DNS Answer TTL

The fix was correct. The TTL explained why users still saw the old edge.

dig +noall +answer edge.test A
Web Server Rescue Can be slow

Find Large Directories with du

Once you know a filesystem is full, the next question is where.

du -xh --max-depth=1 /var 2>/dev/null | sort -h
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:109-networking
  • lfcs:networking
  • lfcs:services-logs
  • linuxplus:provisional
  • linuxplus:troubleshooting
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.