Third-party-Tools to check your configuration

#1

If you want to create a certificate, check your website or if you want to find hidden problems in your configuration: One of the following tools may be helpful. Some are small, some check a lot of things. Trouble to understand the results? Start a new topic in #help.


  1. Tools from active forum members:

1.1. Letsdebug - @_az

https://letsdebug.net/

Checks a lot of things if the certificate creation doesn’t work. Option http/dns - checks. The main page is

https://tools.letsdebug.net/

with a Certificate Transparency search that removes duplicated pre/leaf-versions and some other features.

1.2 Unboundtest - Unbound DNS checker - @jsha

https://unboundtest.com/

Use this server to make DNS queries against an Unbound instance and get logs. The Unbound instance is configured very similarly to Let’s Encrypt’s production servers, and is started fresh for each query so there are no caching effects.

1.3 Check your website - @JuergenAuer

Checks http / https / non-www / www to find wrong redirects and loops. Shows nameserver, ipv4 + ipv6, dnssec, certificates, incomplete chains, connection-settings, other dns-records (txt, CAA), mixed content, EDNS.

Check ipv4, ipv6, add a non-standard-port (5001, 8080 to check Synology- or Speedtest-configuration). Add a Hostname. So you can check a new ipv4/ipv6 address without having a DNS A- or AAAA-record.

Two Certificate Transparency monitors (CertSpotter + crt.sh). The list removes pre-certificates and shows a hitted limit. Subresource Integrity Check shows possible integrity hash values.


  1. Certificate Transparency Logs:

Google: https://transparencyreport.google.com/https/certificates

CRT / Comodo: https://crt.sh/

Use one of these search engines to find your certificates. Both are logging precertificates and leaf certificates. So creating one certificate -> two entries. Helpful if you don’t understand an Expiration mail (see https://letsencrypt.org/docs/expiration-emails/ ).

  1. Checking your DNS CAA configuration:

https://sslmate.com/caa/

Use “Load Current Policy” to check if your CAA entry is correct. If your domain name is www.example.com, check www.example.com, example.com and com.

  1. Checking your DNSSEC - configuration.

https://dnssec-analyzer.verisignlabs.com/

http://dnsviz.net/ - graphical output

  1. Tools to check your DNS - propagation

https://tools.keycdn.com/ - with ipv6-, curl- and other online-checks, Certificate-request-check

https://dnschecker.org/ - allows A, AAAA, TXT and CAA - check

https://mxtoolbox.com/NetworkTools.aspx - mailserver, dns and other checks

  1. The Public Suffix List:

https://publicsuffix.org/list/public_suffix_list.dat

If you want to get a Letsencrypt certificate, your domain must end with a public suffix.

  1. If you want a certificate to secure your internal server, but you don’t have a domain name: There are some free domain provider.

https://www.freenom.com/

Some of them have limitations. So if you have an important project, don’t use them.


You’ve got a new certificate. Now check your installation:

  1. Global SSL-configuration:

https://www.ssllabs.com/ssltest/

The main reference to check your SSL-configuration.

  1. The Mozilla website check - SSL and other parts

https://observatory.mozilla.org/

  1. Mozilla SSL Configuration Generator (Linux)

https://mozilla.github.io/server-side-tls/ssl-config-generator/

  1. IISCrypto (Windows 8 / 12 / 16)

https://www.nartac.com/Products/IISCrypto

  1. Check your mixed content warnings: FireFox or Chrome (Desktop), Then Ctrl + Shift + I, open the console. There the wrong links are listed.

  2. Online:

https://www.whynopadlock.com/

Has one limit: Doesn’t understand my own Letsencrypt EC-384 bit certificate. EC-256 works.


If you use cPanel, Plesk, Synology DiskStation Manager (DSM) or Pfsense: These tools have integrated solutions to create and install Letsencrypt certificates. So it’s the best idea to use these tools. Don’t mix them with command line tools.

cPanel:

https://documentation.cpanel.net/display/CKB/The+Let's+Encrypt+Plugin

Synology:

https://www.synology.com/en-us/knowledgebase/DSM/help/DSM/AdminCenter/connection_certificate

https://forum.synology.com/enu/

Plesk:

https://docs.plesk.com/en-US/onyx/reseller-guide/website-management/websites-and-domains/advanced-website-security/securing-connections-with-ssltls-certificates/getting-free-ssltls-certificate-from-lets-encrypt.77233/

Pfsense:

https://www.netgate.com/docs/pfsense/certificates/acme-package.html

Cloudflare:

If you want to use Cloudflare with https, you must have a valid certificate. Two options:

  • Use the integrated Cloudflare solution with a (not public trusted) internal Cloudflare Certificate to encrypt the traffic Your Server <–> Cloudflare. See https://blog.cloudflare.com/cloudflare-ca-encryption-origin/
  • Create a Letsencrypt certificate, then activate Cloudflare. If you have Cloudflare activated or if your Letsencrypt certificate is expired -> deactivate Cloudflare or use dns-01 validation to create a new Letsencrypt certificate. You can’t use Cloudflare with an expired LE-certificate and http-01 validation.

Additional stuff:

  1. The Google HSTS Preload list

https://hstspreload.org/

Requires Strict Transport Security header, domains are added to the Chrome Source code. Then browsers load the domain only via https.

  1. Static pages with configurations (no interactive online check):

https://weakdh.org/sysadmin.html

https://cipherli.st/

https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet

  1. Certificate Transparency Search Engine with API: https://censys.io/

  2. EDNS - Check:

https://ednscomp.isc.org/

Checks the correct answers if the DNS query contains EDNS-OPT records.

  1. DANE - Check and hash calculation

https://www.huque.com/bin/danecheck

  1. Subresource Integrity hash calculation (hash check is included in my own tool)

https://www.srihash.org/


Ideas, questions, other tools? Send a message or use the contact form of my profile link. Or use this topic:

6 Likes
Third-party-Tools to check your configuration - Discussion
Synology & LE don't work
MAGENTO MULTIPLE DOMAINS IP Single SSL
Weird certificate problem
SSL Certificate on pfSense
Detail: dns :: DNS problem: NXDOMAIN looking up A for
Site showing insecure even after renewing certs
Happy New Year! Looking back on the last year of accomplishments
Stuck on updating in Asus router and ATT Uverse
SERVFAIL looking up TXT (IDNA or DNSSEC issues?)
Sudden increase in handshake duration
When i try to connect to a specific website i get a connection is not private message on iphone 5+.Happens only on safari
SSL is not working in Containerized app
Hint to letsdebug.net in error message
Hint to letsdebug.net in error message
split this topic #2

3 posts were merged into an existing topic: Third-party-Tools to check your configuration - Discussion

closed #3
pinned #4