OpenSSL checks
openssl s_client is useful when you need to inspect the TLS layer itself: certificate, SNI, ALPN, chain, expiry, and listener behavior.
curl answers “what does HTTP return”.
openssl answers “how does TLS behave”.
Quick public TLS check
openssl s_client -connect getsrv.app:443 -servername getsrv.app -alpn h2 -brief
Look at:
Protocol version
Ciphersuite
Peer certificate
Verification
ALPN protocol
Healthy result:
- handshake completes;
- no critical certificate verification error;
- expected ALPN is negotiated;
- certificate matches the requested name.
Show certificate chain
openssl s_client -connect getsrv.app:443 -servername getsrv.app -showcerts </dev/null
This prints the certificate chain. Use it when you suspect an incomplete or wrong fullchain.
Check a local TLS listener
openssl s_client -connect 127.0.0.1:7443 -servername getsrv.app -alpn h2 -brief
This checks the local Nginx listener directly, without the public route.
If the local check passes but the public check fails, the issue may be above Nginx: edge listener, routing, firewall, or another TLS layer.
Check certificate expiry
openssl x509 -in /etc/letsencrypt/live/getsrv.app/fullchain.pem -noout -dates
Example:
notBefore=...
notAfter=...
Watch notAfter. If it is close, check the renewal path.
Check subject and issuer
openssl x509 -in /etc/letsencrypt/live/getsrv.app/fullchain.pem -noout -subject -issuer
subject shows who the certificate is for.
issuer shows who issued it.
Check SAN
openssl x509 -in /etc/letsencrypt/live/getsrv.app/fullchain.pem -noout -ext subjectAltName
SAN should contain the expected names.
Example:
DNS:getsrv.app
DNS:www.getsrv.app
If a name is missing from SAN, browsers will reject the certificate for that name.
Check the certificate served publicly through SNI
echo | openssl s_client -connect getsrv.app:443 -servername getsrv.app 2>/dev/null \
| openssl x509 -noout -subject -issuer -dates -ext subjectAltName
This checks the certificate actually served by the public endpoint.
Check ALPN
openssl s_client -connect getsrv.app:443 -servername getsrv.app -alpn h2,http/1.1 -brief
If h2 is negotiated, the output will show the selected ALPN protocol.
Common problem signals
Certificate verify error
Common reasons:
- incomplete chain;
- outdated client CA bundle;
- expired certificate;
- checking the wrong hostname.
Wrong certificate
Common reasons:
- wrong
server_name; - request reached the wrong listener;
- SNI was not sent;
- several TLS services share the same IP and the wrong default was selected.
Local OK, public broken
If this works:
openssl s_client -connect 127.0.0.1:7443 -servername getsrv.app -brief
but this does not:
openssl s_client -connect getsrv.app:443 -servername getsrv.app -brief
check the external layer and routing to local Nginx.
Minimal check set
openssl s_client -connect getsrv.app:443 -servername getsrv.app -alpn h2 -brief
openssl x509 -in /etc/letsencrypt/live/getsrv.app/fullchain.pem -noout -subject -issuer -dates
openssl x509 -in /etc/letsencrypt/live/getsrv.app/fullchain.pem -noout -ext subjectAltName
curl -kI https://getsrv.app/
If these commands return expected results, the basic TLS layer is healthy.