Whenever you have to debug virtual host setups in Apache, checking the actual running virtual host configuration is a good first step. This can be done with the
-S option used on the Apache binary: It lists all running virtual hosts and performs a syntax check.
On Fedora, RHEL, CentOS the Apache binary can be found on
# /usr/sbin/httpd -S
18.104.22.168:80 me.example.net (/etc/httpd/conf.d/me.conf:5)
22.214.171.124:80 others.example.net (/etc/httpd/conf.d/others.conf:1)
126.96.36.199:443 others.example.net (/etc/httpd/conf.d/others.conf:38)
On Debian systems the call is almost the same, you just have to source the environment variables upfront, and the binary has a different name for historical reasons:
# source /etc/apache2/envvars
# /usr/sbin/apache2 -S
188.8.131.52:80 me.example.net (/etc/apache2/sites-enabled/me.conf:5)
184.108.40.206:80 others.example.net (/etc/apache2/sites-enabled/others.conf:1)
220.127.116.11:443 others.example.net (/etc/apache2/sites-enabled/others.conf:38)
you might run into an error about user names, in such cases it is helpful to call
When you set up the TLS encryption of a web or also of an IMAP server like Dovecot it is sometimes handy to test the encryption on command line level, to see what really happens there. A good tool to do just that is
# openssl s_client -crlf -connect www.example.net:993
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready.
Afterwards, if you want to for example try an IMAP login, the command is as follows:
A login user password
A OK User logged in
A OK [CAPABILITY IMAP4rev1 ...
A status INBOX (messages)
* STATUS INBOX (MESSAGES 0)
A OK Status completed.
* BYE Logging out
C OK Logout completed.
At the same time, if you want to test HTTPS encryption:
$ openssl s_client -crlf -connect www.example.net:443
GET / HTTP/1.0
HTTP/1.1 302 Found
When you try to connect to a web server which has a certificate signed by an unknown root ca, you can compare the TLS/SSL fingerprint of the server with the one of the certificate. For example, if you use your Android phone to securely connect to your own server the phone might not have the root ca of your TLS certificate and thus presents you the fingerprint for you to verify.
Thus, beforehand you have to calculate the TLS fingerprint of the server certificate. This can be done with a single command:
# openssl x509 -noout -fingerprint -in /etc/pki/tls/certs/www.myserver.de.public-cert.ssl.crt
Whenever you open a ssh connection to your server from a new computer, you should will be shown the ssh fingerprint of the machine to verify if you are really connecting the machine you are aiming for. Thus you should have the the SSH key fingerprint at hand. The fingerprint can be easily calculated directly on the server with a single command:
# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
2048 07:86:16:03:b0:75:7e:74:be:49:77:86:3b:cb:92:a9 /etc/ssh/ssh_host_rsa_key.pub