If you have trouble creating a Letsencrypt certificate, one of the following tools may be helpful.
- Certificate Transparency Logs:
CRT / Comodo: https://crt.sh/
Use one of these search engines to find your certificates. Both are logging precertificates and leaf certificates. So creating one certificate -> two entries. Helpful if you don’t understand an Expiration mail (see https://letsencrypt.org/docs/expiration-emails/ ).
- IPv4 / IPv6 - Check - @_az
If you have both dns records (A- and AAAA), but your webserver has only an ipv4 - vHost. The main page is
with a Certificate Transparency search that removes duplicated pre/leaf-versions and some other features.
- Redirects, loop detection, answers of /.well-known/acme-challenge/testfile
Own tool created to make it easier testing sites and to find loops after running certbot. One domain name as input, six urls + redirects are checked.
- Checking your DNS CAA configuration:
Use “Load Current Policy” to check if your CAA entry is correct. If your domain name is
- Checking your DNSSEC - configuration.
- Tools to check your DNS - propagation
https://tools.keycdn.com/ - with ipv6-, curl- and other online-checks, Certificate-request-check
https://dnschecker.org/ - allows A, AAAA, TXT and CAA - check
https://mxtoolbox.com/NetworkTools.aspx - mailserver, dns and other checks
- The Public Suffix List:
If you want to get a Letsencrypt certificate, your domain must end with a public suffix.
- If you want a certificate to secure your internal server, but you don’t have a domain name: There are some free domain provider.
Some of them have limitations. So if you have an important project, don’t use them.
You’ve got a new certificate. Now check your installation:
- Global SSL-configuration:
The main reference to check your SSL-configuration.
- The Mozilla website check - SSL and other parts
- Mozilla SSL Configuration Generator (Linux)
- IISCrypto (Windows 8 / 12 / 16)
Check your mixed content warnings: FireFox or Chrome (Desktop), Then Ctrl + Shift + I, open the console. There the wrong links are listed.
Has one limit: Doesn’t understand my own Letsencrypt EC-384 bit certificate. EC-256 works.
If you use cPanel, Plesk, Synology DiskStation Manager (DSM) or Pfsense: These tools have integrated solutions to create and install Letsencrypt certificates. So it’s the best idea to use these tools. Don’t mix them with command line tools.
- The Google HSTS Preload list
Requires Strict Transport Security header, domains are added to the Chrome Source code. Then browsers load the domain only via https.
- Static pages with configurations (no interactive online check):
- Certificate Transparency Search Engine with API: https://censys.io/
Ideas, questions, other tools? Send a message or use the contact form of my profile link. Or use this topic: