Networking · 6 min
TLS notes from the edge
A valid certificate is only one part of a healthy TLS endpoint. Renewal, routing, and the served identity all need separate checks.
Verify the public path
Test with the hostname clients use, not only the origin address. That confirms DNS, SNI selection, certificate chain, and the application route in a single request.
Keep renewal boring
Use a challenge path that remains reachable during ordinary service. Install the renewed files into stable locations, reload the consumers, and log both the issuance and reload result.
Check what was served
After a renewal, inspect the certificate presented from outside the host. A successful ACME client run does not prove that the front process loaded the new files.
curl --fail --show-error https://example.net/ · openssl s_client -connect example.net:443 -servername example.net
The useful test is not “does port 443 accept a socket?” It is “does the named service return the identity and content a client expects?”