openssl tool cannot get certificate from CloudFront, does anyone know why?

Question

I'm writing a script to check the SSL expiry dates of all my domains.

This works for my normal sites:

echo | openssl s_client -connect $domain:443 2> /dev/null | openssl x509 -noout -enddate

However it does not work for AWS CloudFront. I have uploaded my own certificate to CF and am using a CNAME.

The output is:

CONNECTED(00000003)
15336:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Does anyone know why?

I have already tried -ssl2 and -no_ssl3 options.

Try to use [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication), i.e. use the `-servername hostname` option of openssl s_client. — Steffen Ullrich, Jun 02 '16 at 06:49
Hi Steffen that works! Thank you! If you want to copy my answer below Ill delete my answer and give you the rep. — multipolygon, Jun 02 '16 at 07:00

score 9 · Accepted Answer · edited Jan 09 '17 at 12:33

9

Adding -servername $domain fixed it:

openssl s_client -connect $domain:443 -servername $domain 2> /dev/null < /dev/null | openssl x509 -noout -enddate

Many thanks to Steffen Ullrich for the comment on the Q.

edited Jan 09 '17 at 12:33

Community

answered Jun 02 '16 at 06:59

multipolygon

1 Answers1