 Tommy here from Orange Systems, and stop me if you've heard this before, the problem was DNS. And this problem has gone and plagued us for many years because DNS keeps getting a little bit more complex in its relationship to especially proxies and websites and certificates. I just did a video on HA Proxy and that video you'll find linked down below. That is specific to PF Sense and HA Proxy, but I wanted to do a broader topic here because with that video came the questions and the troubleshooting of the relationship between DNS and SNI. And what SNI is, server name indication, is a more recent thing. Well, it's been around for a while, but maybe not everyone understands it completely and it's extremely related to DNS. In the before times, before the adoption of SNI, if you wanted to host multiple secure websites each with its own certificate on a single server, each website would typically require its own unique IP address. And some people still think that's the case, but SNI solved that problem. With SNI, during the initial handshake process, the client specifies the host name of the server it's trying to connect to. This allows the server to choose the appropriate certificate to present to the client. This makes it feasible to host multiple encrypted websites on the same server with the same IP address each with its own unique certificate as long as your DNS works. That is the important part because the SNI, the fully qualified domain that you may have in your URL of your browser, is going to talk to the server and then it's going to present that fully qualified domain and the server should then respond with the proper certificate or proper wildcard certificate. And that's what I covered in my video was wildcard search with lets and crypts means you can match based on anything before a certain level of subdomain. And there's a few tricks to actually sorting out when there's a problem with this. And that's what this video is about is how to sort that out, how to use the tools and I wanna walk through the process of that, of looking it up using dig and open SSL and you'll find those commands linked down below over in a forum post. You can just copy and paste them. I will be doing this in Linux. If you would like to follow along but you're not using Linux, you can load Windows subsystem for Linux on a Windows system. And if you have Mac, this should work from the command line but I'm much less familiar with Mac but nonetheless you could always SSH into some Linux machine. These are pretty just common base utilities that you'll find in a Linux system. Let's get started with the demo here so we can show you how to run these commands and how to look up that your DNS is set up properly and that you're getting the right certificate. Now everything's timing indexed down below but I will start right here just to bring up the process that a system goes through and where you do or don't need an entry and what a fully qualified domain name or a root domain or a top level domain is. So here's our subdomains and we'll be talking about these which you can have more than one. We have dozer.studio. Those are really extended some domains of LawrenceSystem.com which is the domain name and the top level domain is.com. And if you're thinking there's an S missing either one of these go to my website LawrenceSystem or LawrenceSystems with s.in.com. There's a redirect that sends you over to the right place but when you have these set up and we have a client and we have it behind our PF sense which happens to be running DNS for our demo lab that we have set up here. If it looks up LawrenceSystem.com it'll find that it doesn't have an entry and then it goes out to the internet it looks up the public records available for that and you can look them up too and it's gonna head over to the web server and serve up a website. Now we have an entry locally for this to get our proxy working. And if we go over to the internal version we have dozer.studio.laurancesystems.com and we've put an entry in our PF sense. There is no public entry for this so there's no reason to go out to the internet it'll stop right here and serve up the HA proxy. And this was in my demo the other day was how to set up HA proxy and how to have the DNS point to it. So this gives us a way to have a domain and we have a wild card certificate attached to this HA proxy instance. So dozer.studio.laurancesystem.com comes here and then it actually goes to our TrueNAS and that's just gonna go so the TrueNAS which has its own self sign certificate is then talking to HA proxy which has a wild card certificate for anything.studio.laurancesystems.com. And by doing this sometimes where people get confused is well it's not responding but I'm not sure why it's not responding or can I do it from the command line so I can see the messages and do that SNI and see what actually is getting pumped out of that proxy and yes that's what we're gonna talk about next is those entries. Now because this is gonna be used in our example I will mention that we do have a host override in here to get our HA proxy working internally but we're also gonna talk about this can work externally this is not specific to HA proxy. The dozer.studio.laurancesystem.com has an entry of 172.16.16.1 This is going to redirect this particular query to this local internal server which happens to be running HA proxy and that's the goals to make sure that that is serving up the proper certificate so this will work. I do have another video linked down below covering host overrides in PF Sense and how to manage DNS but I'm not gonna get any further than that and the PF Sense side let's jump right over to the tools. Now we're gonna start with the next general example and the first tool we wanna use is dig so we're gonna go dig google.com and we wanna know what the A record is for Google. Turns out it's 172.217.1.110 Maybe different for you Google actually has multiple entries for this they respond regionally but that's not the detail that matters we wanna know what certificate will be served up if we talk to this server directly so let's go ahead and clear the screen and walk you through the open SSL command open SSL as client and server name this is that SNI request this is saying hey what if we had google.com in our browser and we wanna talk to that host that was the DNS response and we wanna talk to it on 443 the default port that serves up secure certificates so we're gonna ask this question and when we query it we get a lot of data but let's go ahead and scroll up and well we're gonna scroll very far we can look right here to the subject matter of fact you can see all of it it's giving the certificate, the handshake it'll have the TLS information in here but let's go ahead and parse this to make it a little bit easier to read we're just gonna grip for the subject because that's the part that matters and we focus on the subject here and this will match anything.google.com which also means if we were to try to go to google.com it would be valid and if we had any other domain.google.com it will also be valid at least for the certificate we don't know if there's actually a website that it'll respond to if we put any other I'm gonna guess though that this one will work for sure if we put a www there and that actually works matter of fact this is how you know they don't have a wildcard for star.google.com which is wildcard they have a specific entry certificate just for google.com that's why there's no wildcard it's just for www matter of fact if we were to put another one that I know is valid such as mail.google.com they actually do have a certificate it serves up for that off that same address now let's take a look at our example domains we're gonna go digstudio.lorencestim.com and we see that it is properly responding cause we have that entry in there that local address but what if we got rid of the dozer and we just looked up studio is there an entry? There is not there's nothing cause it doesn't need to be unless I wanted studio to go to something but I don't need to I was just using that as a wildcard so if we go back here to dozer.studio.lorencestim.com we see that we have an entry something of note the way dig works is you can also add an at symbol into a external domain server cause by default dig is going to use the domain server that is the default domain server for the system that you're on in my case my default domain server is the pfSense system in this case we told it to reach out to 111 or Cloudflare's DNS which Cloudflare doesn't have an entry for dozer.studio.lorencestim.com but we can actually truncate this down and of course there is a public entry for this each one of these entries each one of these A records can be separate now let's get back to this one right here we just want to make sure we have this and let's run that open SSL command to see what certificate is being served up from this request. All right so now we're going to run our open SSL client and a server name of dozer.studio.lorencestim.com host 172 1661 our HA proxy host cause we want to know what certificate we're going to get and we can see right here if we go look at the subject we're going to get a wildcard for anything.studio.lorencestim.com so it is properly giving me the wildcard cert that I should expect which means that domain would be valid now we can query this in different ways because I actually have another server running on another port so if we change this up to .213131 which is another instance and we wonder if this is valid this is actually going to return something that's not valid so if we go here we're requesting it but this one serves up this certificate LTSdemo.work which would be invalid but it will actually get a handshake we'll just get the invalid error and it'll be a bit confusing and this is a way to check to make sure I'm getting the proper certificate from each one of these servers so I know that this will not match because the wildcard is not matching and it's also not a specific match and that's all you need to do the troubleshooting is those two tools and you're probably thinking could I just put it in the browser the problem is browser's cash things this can be very challenging to your psyche when you have made a change and then refreshed the page and it didn't give a different message it matter of fact seems to give the same message that you have before you think was my change not applied well I bypassed that troubleshooting by going right to the dig and open SSL tools because I want to know the answer before I open a browser and because those tools do not cash it all of your changes are reflected in real time if you do a digging you don't have a DNS entry your problem is DNS figure out why there's no DNS entry and walk through my DNS video if you're using PF sense to understand how DNS entry and host overrides work if you're having trouble with AJ proxy watch my AJ proxy video because if it serves up the wrong certificate and you're expecting cert A and it gives you cert B you know just to look for cert B within your configuration and swap it to be the proper responding cert once you know those match then you pop it in the browser and just double check and confirm things also take a look at the expiration date because that is the final one I maybe didn't mention but also sometimes happens when someone has a old certificate and they think everything matches and it still gives a error that there's an SSL problem and that problem is probably just expired at that point so do check the dates on those certificates love hearing from you leave your thoughts and comments down below head over to my forums for a more in-depth discussion on this or other topics I talk about on my channel like and subscribe and that thumbs up button really does help the YouTube algorithm let you know you like the video and let other people who know that they may want to watch it if you want to connect with me on the socials you'll find whatever social media I'm connected to at the time you're watching this video over on LawrenceSystems.com and thanks