How to troubleshoot SNI enabled endpoints with curl and openssl

This document (000020154) is provided subject to the disclaimer at the end of this document.

Situation

Issue

A modern webserver hosting or proxying to multiple backend domain names will often be configured to use SNI (Server Name Indication).

SNI allows multiple SSL-protected domains to be hosted on the same IP address, and is commonly used in Kubernetes with ingress controllers, for example, the nginx ingress controller.

As the SNI extension requires a slight change to the conversation between client and server - the hostname must be provided in the Hello message to correctly access the associated domain name.

This can present an issue when troubleshooting a node or pod directly, where an IP address is used.

Pre-requisites

The curl and/or openssl command installed
Network access to the endpoint you wish to troubleshoot

Steps

To perform an SNI-compliant request using an IP address, use the following commands replacing the domain name and IP address.

Using the curl command:

curl -v --resolve domain.com:443:<ip address> https://domain.com

Using openssl can be useful to obtain details about the certificate configured:

openssl s_client -showcerts -servername domain.com -connect <ip address>:443

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.