How I Debug HTTP(S) Shenanigans
September 14, 2020
A common question I field is something along the lines of "what is wrong with this redirect/HTTPS certificate/header?" The person asking is often trying to debug something like their nginx config with their browser.
What I Do (on Linux)
First, DNS
host raylu.net
host
comes from the bind9-host package on Debian-based systems.
If you need more detail, dig raylu.net ANY
.
If you think it's a propagation issue, dig +trace raylu.net
,
but you're probably better off passing your own resolvers like
host raylu.net 8.8.4.4
or dig @8.8.4.4 raylu.net
.
Second, HTTPS
openssl s_client -connect raylu.net:443 -servername raylu.net < /dev/null | openssl x509 -noout -text -certopt no_header,no_version,no_serial,no_signame,no_pubkey,no_sigdump
I use an alias (OK, technically a shell function).
function https() {
openssl s_client -connect $1:443 -servername $1 < /dev/null | \
openssl x509 -noout -text -certopt \
no_header,no_version,no_serial,no_signame,no_pubkey,no_sigdump
}
Why do you need to pass the hostname twice?
The -servername
is for SNI.
Third, actual HTTP
curl -I https://raylu.net
If you think the HEAD request behaves differently from the GET,
curl -i https://raylu.net -D - -o /dev/null -s
That one time I needed HTTP/2
nghttp https://raylu.net -nv
It comes from the nghttp2-client package on Debian-based systems.
macOS notes
Testing HTTPS/TLS on macOS is fraught because macOS ships LibreSSL,
which doesn't implement TLS 1.3 yet
has very shaky support for TLS 1.3.
TLS 1.2 doesn't require SNI,
so don't be a fool like me and check for SNI issues with openssl s_client -noservername
.
Windows notes
Just use WSL.
Chrome notes
If you accidentally cached an HSTS header, chrome://net-internals/#hsts.