OpenSSL fetches different SSL certificate than the one obtained via a browser

Question

I need to download a SSL cert in PEM format from a HTTPS website, https://api.paczkomaty.pl . So I am using OpenSSL to do that:

openssl s_client -connect api.paczkomaty.pl:443 > myfile
openssl x509 -in myfile -text 

Here's the result:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0d:5a:87:30:7e:43:96:05:5e:20:f3:2f:14:a4:d9:47
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA
        Validity
            Not Before: Mar 11 00:00:00 2017 GMT
            Not After : Apr 10 23:59:59 2018 GMT
        Subject: CN = *.grupainteger.pl
(...)

However, when I visit the website via a browser (Chrome or Firefox) and inspect its certificate, it shows me a different one; its Serial Number is different, and its validity is from 15/1/2018 to 1/9/2018.

Why is OpenSSL fetching a different certificate?

Answer 1

Why is OpenSSL fetching a different certificate?

s_client by default does not send SNI (Server Name Indication) data but a browser does. The server may choose to respond with a different certificate based on the contents of that SNI - or if no SNI is present then it will serve a default certificate. Try adding -servername api.paczkomaty.pl to your s_client command line

Answer 2

Multiple SSL/TLS sites on the same physical server, using TLS SNI (Server Name Indication). If the client does not provide SNI information (OpenSSL s_client won't unless told to), some fall-back default site certificate gets used.

Add the -servername option to your openssl s_client command like this:

openssl s_client -servername api.paczkomaty.pl -connect api.paczkomaty.pl:443 > myfile