When troubleshooting SSL certificate hostname mismatches, the most frustrating scenario occurs when a website immediately 301/302 redirects before you can inspect its certificate. Modern browsers typically follow redirects automatically, hiding the initial certificate from view. This becomes critical when debugging cases where:
- Clients report certificate warnings that don't appear in your tests
- Legacy systems fail before the redirect completes
- CDN configurations need validation
The most reliable method is using OpenSSL's s_client with the -showcerts flag while preventing redirects:
openssl s_client -connect example.com:443 -servername example.com -showcerts < /dev/null | openssl x509 -noout -text
For more control, use cURL with these options:
curl -vIk --http1.1 --resolve example.com:443:192.0.2.1 https://example.com
# -I : HEAD request
# -k : ignore certificate errors
# --resolve : bypass DNS for testingChrome DevTools can capture the initial certificate if you:
- Open DevTools (F12) and go to Network tab
- Check "Preserve log"
- Throttle connection to "Slow 3G"
- Right-click the initial request → Security → View certificate
For regression testing, here's a Node.js script using the 'https' module:
const https = require('https');
const options = {
hostname: 'problem-domain.com',
port: 443,
method: 'GET',
rejectUnauthorized: false, // Bypass cert validation
agent: new https.Agent({ maxRedirects: 0 }) // Block redirects
};
const req = https.request(options, (res) => {
console.log('Certificate:', res.socket.getPeerCertificate());
});
req.on('error', (e) => {
console.error('Certificate error:', e.cert ? e.cert : e);
});
req.end();Specialized utilities provide better visualization:
- testssl.sh: Comprehensive testing suite with redirect handling
./testssl.sh --first-only example.comA common production issue occurs when load balancers present a default certificate before applying host-specific certs via SNI. The diagnostic pattern:
# First connection shows default cert
openssl s_client -connect lb.example.com:443
# Subsequent connections with SNI show correct cert
openssl s_client -connect lb.example.com:443 -servername app.example.comAlways verify both scenarios when troubleshooting certificate mismatches.
When troubleshooting SSL/TLS issues, one particularly tricky scenario occurs when:
- A URL performs immediate redirection (HTTP 301/302) to another location
- You need to examine the certificate presented before the redirect occurs
- Standard browser inspection tools only show the final certificate
Here are reliable methods to capture the initial certificate:
Method 1: cURL with Certificate Output
curl -vkI https://example.com --output /dev/null --show-error 2>&1 | grep -A 10 "SSL certificate verify"This command will:
- Bypass following redirects (
-Lnot used) - Output verbose SSL handshake info (
-v) - Show only headers (
-I)
Method 2: OpenSSL Direct Connection
openssl s_client -connect example.com:443 -servername example.com -showcertsKey parameters:
-servernamefor SNI support-showcertsdisplays full certificate chain- Add
-statusfor OCSP verification
Method 3: Browser Developer Tools Trick
For Chrome/Edge:
- Open Developer Tools (F12)
- Go to Network tab
- Check "Preserve log"
- Refresh page
- Right-click initial request → "Open in new tab"
- Now inspect Security tab
For CI/CD integration, consider this Python script:
import socket
import ssl
def check_initial_cert(hostname):
context = ssl.create_default_context()
conn = context.wrap_socket(
socket.socket(socket.AF_INET),
server_hostname=hostname)
conn.connect((hostname, 443))
cert = conn.getpeercert()
return cert['subject']
print(check_initial_cert("example.com"))This technique helps diagnose:
- Expired certificates on redirect endpoints
- Certificate chain validation failures
- Hostname mismatch warnings
- HSTS preload validation
Remember that:
- Some clients may enforce different validation rules than your tools
- Mobile apps might cache certificates differently
- CDN edge nodes might present different certificates