Third-party-Tools to check your configuration


If you have trouble creating a Letsencrypt certificate, one of the following tools may be helpful.

  1. Certificate Transparency Logs:


CRT / Comodo:

Use one of these search engines to find your certificates. Both are logging precertificates and leaf certificates. So creating one certificate -> two entries. Helpful if you don’t understand an Expiration mail (see ).

  1. IPv4 / IPv6 - Check - @_az

If you have both dns records (A- and AAAA), but your webserver has only an ipv4 - vHost. The main page is

with a Certificate Transparency search that removes duplicated pre/leaf-versions and some other features.

  1. Redirects, loop detection, answers of /.well-known/acme-challenge/testfile

Own tool created to make it easier testing sites and to find loops after running certbot. One domain name as input, six urls + redirects are checked.

  1. Checking your DNS CAA configuration:

Use “Load Current Policy” to check if your CAA entry is correct. If your domain name is, check, and com.

  1. Checking your DNSSEC - configuration.

  1. Tools to check your DNS - propagation - with ipv6-, curl- and other online-checks, Certificate-request-check - allows A, AAAA, TXT and CAA - check - mailserver, dns and other checks

  1. The Public Suffix List:

If you want to get a Letsencrypt certificate, your domain must end with a public suffix.

  1. If you want a certificate to secure your internal server, but you don’t have a domain name: There are some free domain provider.

Some of them have limitations. So if you have an important project, don’t use them.

You’ve got a new certificate. Now check your installation:

  1. Global SSL-configuration:

The main reference to check your SSL-configuration.

  1. The Mozilla website check - SSL and other parts

  1. Mozilla SSL Configuration Generator (Linux)

  1. IISCrypto (Windows 8 / 12 / 16)

  1. Check your mixed content warnings: FireFox or Chrome (Desktop), Then Ctrl + Shift + I, open the console. There the wrong links are listed.

  2. Online:

Has one limit: Doesn’t understand my own Letsencrypt EC-384 bit certificate. EC-256 works.

If you use cPanel, Plesk, Synology DiskStation Manager (DSM) or Pfsense: These tools have integrated solutions to create and install Letsencrypt certificates. So it’s the best idea to use these tools. Don’t mix them with command line tools.





Additional stuff:

  1. The Google HSTS Preload list

Requires Strict Transport Security header, domains are added to the Chrome Source code. Then browsers load the domain only via https.

  1. Static pages with configurations (no interactive online check):

  1. Certificate Transparency Search Engine with API:

Ideas, questions, other tools? Send a message or use the contact form of my profile link. Or use this topic:

Third-party-Tools to check your configuration - Discussion
Hint to in error message
Hint to in error message

3 posts were merged into an existing topic: Third-party-Tools to check your configuration - Discussion