dmDrift Margin
← All notes

Networking · 6 min

TLS notes from the edge

A valid certificate is only one part of a healthy TLS endpoint. Renewal, routing, and the served identity all need separate checks.

Verify the public path

Test with the hostname clients use, not only the origin address. That confirms DNS, SNI selection, certificate chain, and the application route in a single request.

Keep renewal boring

Use a challenge path that remains reachable during ordinary service. Install the renewed files into stable locations, reload the consumers, and log both the issuance and reload result.

Check what was served

After a renewal, inspect the certificate presented from outside the host. A successful ACME client run does not prove that the front process loaded the new files.

curl --fail --show-error https://example.net/ · openssl s_client -connect example.net:443 -servername example.net

The useful test is not “does port 443 accept a socket?” It is “does the named service return the identity and content a client expects?”