Web Server Rescue
Show TLS Certificate Dates
You need to read the served TLS certificate validity window.
Command
openssl s_client -connect edge.test:443 -servername edge.test /dev/null | openssl x509 -noout -datesWhat changed
Nothing changes. The command performs a read-only TLS handshake and prints certificate dates.
Danger
safe
When to use it
Use when browsers report certificate expiry or a monitoring check says TLS is invalid.
When not to use it
Do not use local certificate files when you need to know what the edge is actually serving.
Undo or recovery
No undo needed because this command is read-only.
Expected output
notBefore and notAfter dates from the served certificate.
demo script
Disposable terminal steps
openssl s_client -connect edge.test:443 -servername edge.test /dev/null | sed -n '1,8p'openssl s_client -connect edge.test:443 -servername edge.test /dev/null | openssl x509 -noout -dates
simulated output
What it looks like
::fixture-ready::
$ openssl s_client -connect edge.test:443 -servername edge.test /dev/null | sed -n '1,8p'
CONNECTED(00000003)
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Verify return code: 0 (ok)
-----BEGIN CERTIFICATE-----
FIXTURE-edge
-----END CERTIFICATE-----
::exit-code::0
$ openssl s_client -connect edge.test:443 -servername edge.test /dev/null | openssl x509 -noout -dates
notBefore=Jun 1 00:00:00 2026 GMT
notAfter=Aug 30 23:59:59 2026 GMT
::exit-code::0
YouTube Short
Read served cert dates.
Check the certificate the edge actually serves, not just the file you think Nginx uses.
LinkedIn hook
The outage was not the web server. The edge certificate had expired.
Question: Do you inspect the served certificate or the local cert file first?
experiments
A/B tests to run
Metric: save_rate
A: The served cert expired.
B: Read dates from the handshake.