Blog

A common question I field is something along the lines of "what is wrong with this redirect/HTTPS certificate/header?" The person asking is often trying to debug something like their nginx config with their browser.

What I Do (on Linux)

First, DNS

host raylu.net

host comes from the bind9-host package on Debian-based systems. If you need more detail, dig raylu.net ANY. If you think it's a propagation issue, dig +trace raylu.net, but you're probably better off passing your own resolvers like host raylu.net 8.8.4.4 or dig @8.8.4.4 raylu.net.

Second, HTTPS

openssl s_client -connect raylu.net:443 -servername raylu.net < /dev/null | openssl x509 -noout -text -certopt no_header,no_version,no_serial,no_signame,no_pubkey,no_sigdump

I use an alias (OK, technically a shell function).

function https() {
    openssl s_client -connect $1:443 -servername $1 < /dev/null | \
    openssl x509 -noout -text -certopt \
    no_header,no_version,no_serial,no_signame,no_pubkey,no_sigdump
}

Why do you need to pass the hostname twice? The -servername is for SNI.

Third, actual HTTP

curl -I https://raylu.net

If you think the HEAD request behaves differently from the GET,

curl -i https://raylu.net -D - -o /dev/null -s

That one time I needed HTTP/2

nghttp https://raylu.net -nv

It comes from the nghttp2-client package on Debian-based systems.

macOS notes

Testing HTTPS/TLS on macOS is fraught because macOS ships LibreSSL, which doesn't implement TLS 1.3 yet has very shaky support for TLS 1.3. TLS 1.2 doesn't require SNI, so don't be a fool like me and check for SNI issues with openssl s_client -noservername.

Windows notes

Just use WSL.

Chrome notes

If you accidentally cached an HSTS header, chrome://net-internals/#hsts.