$ Linux One Liners
Back to lessons

Web Server Rescue

Risk: safe

Check the Certificate Served for SNI

You need to prove which certificate an edge returns for a specific SNI hostname.

Command

openssl s_client -connect 203.0.113.10:443 -servername wrong.edge.test </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName

Before you run this

Risk: safe. Do not omit -servername when testing hostname-specific TLS behavior.

Expected output

The certificate identity fields selected by the requested SNI name.

System impact

Nothing changes. The command performs a read-only TLS handshake with an explicit server name.

Recovery / rollback: no state is changed.

When to use it

Use when the same IP serves multiple sites or a CDN returns the default certificate.

When not to use it

Do not omit -servername when testing hostname-specific TLS behavior.

Watch this command run

Example output from a temporary Linux lab

This example uses disposable sample files and sanitized output so you can inspect the shape of the result before touching a real system.

demo@lab:~$

$ openssl s_client -connect 203.0.113.10:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName

subject=CN = example.com
X509v3 Subject Alternative Name:
    DNS:example.com, DNS:example.com

$ openssl s_client -connect 203.0.113.10:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName

subject=CN = example.com
X509v3 Subject Alternative Name:
    DNS:example.com
View reproducible demo details

This page shows the sanitized shell transcript and the setup steps needed to reproduce the example.

Lab setup steps

  1. openssl s_client -connect 203.0.113.10:443 -servername edge.test </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
  2. openssl s_client -connect 203.0.113.10:443 -servername wrong.edge.test </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName

next steps

Related commands

Web Server Rescue Risk: safe

Show TLS Certificate Names

The cert was valid, but not for this hostname.

openssl s_client -connect edge.test:443 -servername edge.test </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
Web Server Rescue Risk: safe

Show TLS Certificate Dates

The outage was not the web server. The edge certificate had expired.

openssl s_client -connect edge.test:443 -servername edge.test </dev/null 2>/dev/null | openssl x509 -noout -dates
Web Server Rescue Risk: safe

Show TLS Protocol and Cipher

The certificate was fine. The TLS negotiation told the rest of the story.

openssl s_client -connect edge.test:443 -servername edge.test </dev/null 2>/dev/null | awk '/Protocol|Cipher|Verify return code/ {print}'
Web Server Rescue Risk: safe

Find Large Directories with du

Once you know a filesystem is full, the next question is where.

du -xh --max-depth=1 /var 2>/dev/null | sort -h
Web Server Rescue Risk: safe

Smoke Check an HTTP Status

A deploy is not done until the endpoint answers.

curl -fsS -o /dev/null -w '%{http_code} %{time_total}s\n' https://example.com/health
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:109-networking
  • lfcs:networking
  • lfcs:services-logs
  • linuxplus:provisional
  • linuxplus:troubleshooting
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.