Server Name Indication, DNS & SSL Certificate Troubleshooting Guide Using OpenSSL and DIG [YouTube Release]

Youtube Releases
1

Additional Resources:

How To Guide For HAProxy and Let’s Encrypt on pfSense: Detailed Steps for Setting Up Reverse Proxy

pfsense DNS host overides

Connecting With Us

Lawrence Systems Shirts and Swag

►👕 https://lawrence.video/swag/

AFFILIATES & REFERRAL LINKS

Amazon Affiliate Store
:shopping_cart: Lawrence Systems's Amazon Page

All Of Our Affiliates that help us out and can get you discounts!
:shopping_cart: Affiliates We Love - Lawrence Technology Services

Gear we use on Kit
:shopping_cart: Kit

Use OfferCode LTSERVICES to get 10% off your order at
:shopping_cart: Tech Supply Direct - Refurbished Tech at Unbeatable Prices

Digital Ocean Offer Code
:shopping_cart: DigitalOcean | Cloud Hosting for Builders

HostiFi UniFi Cloud Hosting Service
:shopping_cart: HostiFi - UniFi Cloud Hosting

Protect you privacy with a VPN from Private Internet Access
:shopping_cart: Buy VPN with Credit Card or PayPal | Private Internet Access

Patreon
:moneybag: https://www.patreon.com/lawrencesystems

:stopwatch:Time Stamps :stopwatch:
00:00 :arrow_forward: DNS and Certificate Troubleshooting
00:40 :arrow_forward: What is SNI (Server Name Indication)?
02:33 :arrow_forward: Understanding How Domains Are Structured
04:34 :arrow_forward: DNS Host Overrides
05:17 :arrow_forward: Using DIG for DNS & OpenSSL for Certs

#network #dns #pfsense

2

@LTS_Tom You mentioned in the video you would list the commands on the forum. Where can we find them?

3

Here you go:

dig google.com

openssl s_client -servername google.com -host 172.217.0.174 -port 443 < /dev/null
4

I have been trying to get this going but I run into connect:errno=110

I’m sure I am doing something wrong, if anyone can see what’s wrong I would appreciate it.

I guess my question is why does this make the command, poop the bed?

openssl s_client -servername truenas.my.domain -host 192.168.2.1 -port 443 < /dev/null

(2 minute wait)

140531592963392:error:0200206E:system library:connect:Connection timed out:…/crypto/bio/b_sock2.c:110:
140531592963392:error:2008A067:BIO routines:BIO_connect:connect error:…/crypto/bio/b_sock2.c:111:
connect:errno=110

What I did

dig truenas.my.domain

; <<>> DiG 9.16.42-Debian <<>> truenas.my.domain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31403
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1352
;; QUESTION SECTION:
;truenas.my.domain. IN A

;; ANSWER SECTION:
truenas.my.domain. 3600 IN A 192.168.2.1

;; Query time: 32 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Fri Aug 18 04:04:33 PDT 2023
;; MSG SIZE rcvd: 62

openssl s_client -servername truenas.my.domain -host 192.168.2.1 -port 443 < /dev/null

140531592963392:error:0200206E:system library:connect:Connection timed out:…/crypto/bio/b_sock2.c:110:
140531592963392:error:2008A067:BIO routines:BIO_connect:connect error:…/crypto/bio/b_sock2.c:111:
connect:errno=110

However, when I do this

dig buster.my.domain

; <<>> DiG 9.16.42-Debian <<>> buster.my.domain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48092
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1352
;; QUESTION SECTION:
;buster.my.domain. IN A

;; ANSWER SECTION:
buster.my.domain. 3600 IN A 192.168.2.1

;; Query time: 4 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Fri Aug 18 04:23:32 PDT 2023
;; MSG SIZE rcvd: 61

openssl s_client -servername buster.my.domain -host 192.168.2.1 -port 10443 < /dev/null | grep “subject”

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = R3
verify return:1
depth=0 CN = buster.my.domain
verify return:1
DONE
subject=CN = buster.my.domain

5

Your certificate is only valid for *.buster.my.domain, assuming you have issued a wildcard for buster.my.domain, so truenas.my.domain wouldn’t work with it, but you could use truenas.buster.my.domain.

If you want to use truenas.my.domain you either have to issue a cert for that specific subdomain or a wildcard for my.domain.

Edit:
In order to avoid confusion, sub.domain.tld would be a better way to anonymize your (Fully Qualified) Domain Name.

sub = Subdomain
domain = Domain
tld = Top Level Domain

6

Sorry for the confusion. The buster cert was from a long time ago, it actually is for the web GUI. I was just trying to show that the command does run just not for that sub.domain.tld. I guess the question is can I have a buster.domain.tld and a *.domain.tld cert? Is that the problem? Tom made it look so easy, for some reason I just cant get this going. I guess that’s what lead me to the forum is the awesome troubleshooting video Tom put out, and for some reason I cant even get it to run. The openssl s_client command on truenas.domain.tld. I know I am doing something completely wrong just cant see it. I have watched the 2 videos 8 times each at this point. Below I have posted what I have, I understand if its too much of a mess to try to figure out.

I do have a wild card cert issued now
Mode Domainname Method
Enabled *.domain.tld DNS-DigitalOcean

Wild_Card_DOMAIN
Wild_Card_DOMAIN
Wild_Card
Thu, 17 Aug 2023 04:54:37 -0700
Issued Certificate Dates:
Valid From: Thu, 17 Aug 2023 03:54:35 -0700
Valid Until: Wed, 15 Nov 2023 02:54:34 -0800

Backend

TrueNAS

and the truenas backend pointing to 192.168.2.5 on 443 encrypt, yes SSL check, no

Front end

External address

LAN address (IPv4) port 443 SSL offloading [CHECKED]

Access Control lists

truenas Host Matches truenas.domain.tld

Actions condition acl name

backend:TrueNAS truenas

and Certificate

Wild_CARD_DOMAIN