Third-party-Tools to check your configuration


#1

If you have trouble creating a Letsencrypt certificate, one of the following tools may be helpful.

  1. Certificate Transparency Logs:

Google: https://transparencyreport.google.com/https/certificates

CRT / Comodo: https://crt.sh/

Use one of these search engines to find your certificates. Both are logging precertificates and leaf certificates. So creating one certificate -> two entries. Helpful if you don’t understand an Expiration mail (see https://letsencrypt.org/docs/expiration-emails/ ).

  1. IPv4 / IPv6 - Check - @_az

https://letsdebug.net/

If you have both dns records (A- and AAAA), but your webserver has only an ipv4 - vHost. The main page is

https://tools.letsdebug.net/

with a Certificate Transparency search that removes duplicated pre/leaf-versions and some other features.

  1. Redirects, loop detection, answers of /.well-known/acme-challenge/testfile

Own tool created to make it easier testing sites and to find loops after running certbot. One domain name as input, six urls + redirects are checked.

  1. Checking your DNS CAA configuration:

https://sslmate.com/caa/

Use “Load Current Policy” to check if your CAA entry is correct. If your domain name is www.example.com, check www.example.com, example.com and com.

  1. Checking your DNSSEC - configuration.

https://dnssec-analyzer.verisignlabs.com/

  1. Tools to check your DNS - propagation

https://tools.keycdn.com/ - with ipv6-, curl- and other online-checks, Certificate-request-check

https://dnschecker.org/ - allows A, AAAA, TXT and CAA - check

https://mxtoolbox.com/NetworkTools.aspx - mailserver, dns and other checks

  1. The Public Suffix List:

https://publicsuffix.org/list/public_suffix_list.dat

If you want to get a Letsencrypt certificate, your domain must end with a public suffix.

  1. If you want a certificate to secure your internal server, but you don’t have a domain name: There are some free domain provider.

https://www.freenom.com/

Some of them have limitations. So if you have an important project, don’t use them.


You’ve got a new certificate. Now check your installation:

  1. Global SSL-configuration:

https://www.ssllabs.com/ssltest/

The main reference to check your SSL-configuration.

  1. The Mozilla website check - SSL and other parts

https://observatory.mozilla.org/

  1. Mozilla SSL Configuration Generator (Linux)

https://mozilla.github.io/server-side-tls/ssl-config-generator/

  1. IISCrypto (Windows 8 / 12 / 16)

https://www.nartac.com/Products/IISCrypto

  1. Check your mixed content warnings: FireFox or Chrome (Desktop), Then Ctrl + Shift + I, open the console. There the wrong links are listed.

  2. Online:

https://www.whynopadlock.com/

Has one limit: Doesn’t understand my own Letsencrypt EC-384 bit certificate. EC-256 works.


If you use cPanel, Plesk, Synology DiskStation Manager (DSM) or Pfsense: These tools have integrated solutions to create and install Letsencrypt certificates. So it’s the best idea to use these tools. Don’t mix them with command line tools.

cPanel:

https://documentation.cpanel.net/display/CKB/The+Let's+Encrypt+Plugin

Synology:

https://www.synology.com/en-us/knowledgebase/DSM/help/DSM/AdminCenter/connection_certificate

https://forum.synology.com/enu/

Plesk:

https://docs.plesk.com/en-US/onyx/reseller-guide/website-management/websites-and-domains/advanced-website-security/securing-connections-with-ssltls-certificates/getting-free-ssltls-certificate-from-lets-encrypt.77233/

Pfsense:

https://www.netgate.com/docs/pfsense/certificates/acme-package.html


Additional stuff:

  1. The Google HSTS Preload list

https://hstspreload.org/

Requires Strict Transport Security header, domains are added to the Chrome Source code. Then browsers load the domain only via https.

  1. Static pages with configurations (no interactive online check):

https://weakdh.org/sysadmin.html

https://cipherli.st/

https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet

  1. Certificate Transparency Search Engine with API: https://censys.io/

Ideas, questions, other tools? Send a message or use the contact form of my profile link. Or use this topic:


Third-party-Tools to check your configuration - Discussion
Hint to letsdebug.net in error message
Hint to letsdebug.net in error message
#2

3 posts were merged into an existing topic: Third-party-Tools to check your configuration - Discussion


#3

#4