Web Server Rescue

Check the Certificate Served for SNI

You need to prove which certificate an edge returns for a specific SNI hostname.

Command

openssl s_client -connect 203.0.113.10:443 -servername wrong.edge.test /dev/null | openssl x509 -noout -subject -ext subjectAltName

What changed

Nothing changes. The command performs a read-only TLS handshake with an explicit server name.

Danger

safe

When to use it

Use when the same IP serves multiple sites or a CDN returns the default certificate.

When not to use it

Do not omit -servername when testing hostname-specific TLS behavior.

Undo or recovery

No undo needed because this command is read-only.

Expected output

The certificate identity fields selected by the requested SNI name.

demo script

Disposable terminal steps

openssl s_client -connect 203.0.113.10:443 -servername edge.test /dev/null | openssl x509 -noout -subject -ext subjectAltName
openssl s_client -connect 203.0.113.10:443 -servername wrong.edge.test /dev/null | openssl x509 -noout -subject -ext subjectAltName

Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel

::fixture-ready::
$ openssl s_client -connect 203.0.113.10:443 -servername edge.test /dev/null | openssl x509 -noout -subject -ext subjectAltName
subject=CN = edge.test
X509v3 Subject Alternative Name:
    DNS:edge.test, DNS:www.edge.test
::exit-code::0
$ openssl s_client -connect 203.0.113.10:443 -servername wrong.edge.test /dev/null | openssl x509 -noout -subject -ext subjectAltName
subject=CN = default.edge-fixture.test
X509v3 Subject Alternative Name:
    DNS:default.edge-fixture.test
::exit-code::0

YouTube Short

Test TLS with SNI.

On shared edge IPs, the server name chooses the certificate. Test with SNI before blaming DNS.

experiments

A/B tests to run

Metric: comment_rate

A: SNI selected the wrong cert.

B: Test the server name explicitly.