Check DNS, Urls + Redirects, Certificates and Content of your Website


Info: Problems with 3.048.289 Letsencrypt certificates (378.325 accounts). They must be revoked (revocation starts 2020-03-04 20:00 UTC) - see Revoking certain certificates on March 4. Update 2020-03-07: Good news: Mass-revocation is canceled.

This tool: A check (SerialNumber) is added. Letsencrypt has published a list of critical SerialNumbers, this list is checked. See the part "9. Certificates". If there is a warning, renew that certificate and replace the current certificate.




W

wrong Web-Response

Checked:
06.12.2019 20:40:43


Older results


1. IP-Addresses

HostTypeIP-Addressis auth.∑ Queries∑ Timeout
157.240.7.20
A
157.240.7.20
Singapore//Singapore (SG) - Facebook, Inc.
Hostname: edge-star-shv-01-sin6.facebook.com
yes



2. DNSSEC

Info: The Xml-split has triggered some hidden bugs. Now it looks ok.
If root or the top level zone isn't validated, it's buggy.
Both green and your domain is red -> it's your domain.


No DNSSEC - Informations found


3. Name Servers


No Nameserver entries found


4. SOA-Entries


No SOA entries found

5. Screenshots

Startaddress: https://www.facebook.com, address used: https://www.facebook.com/, Screenshot created 2020-05-05 05:33:11 +00:0

Mobil (412px x 732px)

840 milliseconds

Screenshot mobile - https://www.facebook.com/
Mobil + Landscape (732px x 412px)

821 milliseconds

Screenshot mobile landscape - https://www.facebook.com/
Screen (1280px x 1680px)

980 milliseconds

Screenshot Desktop - https://www.facebook.com/

Mobile- and other Chrome-Checks

widthheight
visual Viewport396716
content Size9801013

Fatal: Horizontal scrollbar detected. Content-size width is greater then visual Viewport width.

Chrome-Connection: secure. secure connection settings. The connection to this site is encrypted and authenticated using TLS 1.3, X25519, and AES_128_GCM.

Chrome-Resources : secure. all served securely. All resources on this page are served securely.

6. Url-Checks


:

:
DomainnameHttp-StatusredirectSec.G
• http://157.240.7.20:443/
157.240.7.20
-8

1.187
W
ConnectionClosed - The underlying connection was closed: The connection was closed unexpectedly.

• https://157.240.7.20:443/
157.240.7.20
301
https://www.facebook.com/
6.387
N
Certificate error: RemoteCertificateNameMismatch
Location: https://www.facebook.com/
Content-Type: text/html; charset="utf-8"
X-FB-Debug: zOVGrjq8I/aEV47fZjqjkTJ7cISQIEIvvpo3rDXVw9S4Xu5V350SEfJEV4c945e+45lcWVfvzWKLkqq8AJvZEg==
Date: Fri, 06 Dec 2019 19:40:49 GMT
Alt-Svc: h3-24=":443"; ma=3600
Connection: close
Content-Length: 0

• https://www.facebook.com/
GZip used - 34825 / 126625 - 72.50 %
Inline-JavaScript (∑/total): 14/92523 Inline-CSS (∑/total): 1/167
200

Html is minified: 366.26 %
2.404
I
Content-Encoding: gzip
Cache-Control: private, no-cache, no-store, must-revalidate
Pragma: no-cache
Strict-Transport-Security: max-age=15552000; preload
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 0
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Content-Type: text/html; charset="utf-8"
X-FB-Debug: 6TFEicyYC5XkWYNKz7zdyy/jqDLiBXMFaj/cUR8M/ZMHADEzn66izOOInHVLxDBdJTPh8++ACX50kfYEygMYrw==
Date: Fri, 06 Dec 2019 19:40:55 GMT
Alt-Svc: h3-24=":443"; ma=3600
Connection: close

• http://157.240.7.20:443/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
157.240.7.20
-8

1.064
W
ConnectionClosed - The underlying connection was closed: The connection was closed unexpectedly.
Visible Content:

7. Comments


1. General Results, most used to calculate the result

Aname "157.240.7.20" is ipv4 address, public suffix is not defined
Agood: All ip addresses are public addresses
Agood: destination is https
Agood - only one version with Http-Status 200
Agood: one preferred version: www is preferred
Warning: HSTS preload sent, but not in Preload-List. Never send a preload directive if you don't know what preload means. Check https://hstspreload.org/ to learn the basics about the Google-Preload list. If you send a preload directive, you should **immediately** add your domain to the HSTS preload list via https://hstspreload.org/ . If Google accepts the domain, so the status is "pending": Note that new entries are hardcoded into the Chrome source code and can take several months before they reach the stable version. So you will see this message some months. If you don't want that or if you don't understand "preload", but if you send a preload directive and if you have correct A-redirects, everybody can add your domain to that list. Then you may have problems, it's not easy to undo that. So if you don't want your domain preloaded, remove the preload directive.
AGood: All urls with http status 200/404 have a complete Content-Type header (MediaType / MediaSubType + correct charset)
Bwarning: HSTS max-age is too short - minimum 31536000 = 365 days required, 15552000 seconds = 180 days found
Bhttps://157.240.7.20:443/ 157.240.7.20
301

Missing HSTS-Header
Ihttps://www.facebook.com/
200

Content problems or problems with resources included - http links, files doesn't exist, different Content-Type definitions. Check the Html-Content - Part.
Nhttps://157.240.7.20:443/ 157.240.7.20
301
https://www.facebook.com/
Error - Certificate isn't trusted, RemoteCertificateNameMismatch

2. DNS- and NameServer - Checks


3. Content- and Performance-critical Checks

http://157.240.7.20:443/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 157.240.7.20
-8

Fatal: Check of /.well-known/acme-challenge/random-filename is blocked, http connection error. Creating a Letsencrypt certificate via http-01 challenge can't work. You need a running webserver (http) and an open port 80. If it's a home server + ipv4, perhaps a correct port forwarding port 80 extern ⇒ working port intern is required. Port 80 / http can redirect to another domain port 80 or port 443, but not other ports. If it's a home server, perhaps your ISP blocks port 80. Then you may use the dns-01 challenge. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.
AGood: Every https result with status 200 supports GZip.
https://www.facebook.com/
200

Warning: Https + http status 200 + Inline CSS / JavaScript found. Don't use inline CSS / JavaScript. These are compiled and re-used ressources, save these with a long Cache-Control max-age - header.
https://www.facebook.com/
200

Warning: Https result with status 200 found, Html-Content is too big. Should be max. 110 %. May contain inline CSS / JavaScript, too much comments or white space. Re-used ressources - create files with a long Cache-Control max-age header. Remove comments and white space.
AGood: Every https connection via port 443 supports the http/2 protocol via ALPN.
AGood: All CSS / JavaScript files are sent with GZip. That reduces the content of the files. 10 external CSS / JavaScript files found
AGood: All images with internal compression not sent via GZip. Images (.png, .jpg) are already compressed, so an additional GZip isn't helpful. 3 images (type image/png, image/jpg) found without additional GZip. Not required because these images are already compressed
AGood: All CSS / JavaScript files are sent with a long Cache-Control header (minimum 7 days). So the browser can re-use these files, no download is required. 10 external CSS / JavaScript files with long Cache-Control max-age found
Warning: Images with a missing or too short Cache-Control header found. Browsers should cache and re-use these files. 1 image files without Cache-Control-Header, 0 with Cache-Control, but no max-age, 0 with Cache-Control max-age too short (minimum 7 days), 5 with Cache-Control long enough, 6 complete.
AGood: Domainname is not on the "Specially Designated Nationals And Blocked Persons List" (SDN). That's an US-list of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and companies are called "Specially Designated Nationals" or "SDNs." Their assets are blocked and U.S. persons are generally prohibited from dealing with them. So if a domain name is on that list, it's impossible to create a Letsencrypt certificate with that domain name. Check the list manual - https://www.treasury.gov/resource-center/sanctions/sdn-list/pages/default.aspx
ADuration: 59473 milliseconds, 59.473 seconds


8. Connections

DomainIPPortCert.ProtocolKeyExchangeStrengthCipherStrengthHashAlgorithmOCSP stapling
Domain/KeyExchangeIP/StrengthPort/CipherCert./StrengthProtocol/HashAlgorithmOCSP stapling
157.240.7.20
157.240.7.20
443
name does not match
Tls12
ECDH Ephermal
256
Aes128
128
Sha256
error checking OCSP stapling
ok
157.240.7.20
157.240.7.20
443
name does not match
Tls12

ECDH Ephermal
256
Aes128
128
Sha256
error checking OCSP stapling
ok
http/2 via ALPN supported 
Tls.1.2
Tls.1.1
Tls.1.0
http/2 via ALPN supported
Tls.1.2
Tls.1.1
Tls.1.0
Chain (complete)
1CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, C=US, ST=California

2CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US


www.facebook.com
www.facebook.com
443
ok
Tls12
ECDH Ephermal
256
Aes128
128
Sha256
error checking OCSP stapling
ok

www.facebook.com
www.facebook.com
443
ok
Tls12

ECDH Ephermal
256
Aes128
128
Sha256
error checking OCSP stapling
ok
http/2 via ALPN supported 
Tls.1.2
Tls.1.1
Tls.1.0
http/2 via ALPN supported
Tls.1.2
Tls.1.1
Tls.1.0
Chain (complete)
1CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, C=US, ST=California

2CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US


9. Certificates

1.
1.
CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, S=California, C=US
06.11.2019
04.02.2020
118 days expired
*.facebook.net, *.facebook.com, *.m.facebook.com, facebook.com, *.fb.com, *.xy.fbcdn.net, *.xz.fbcdn.net, fb.com, *.messenger.com, *.fbsbx.com, *.xx.fbcdn.net, messenger.com, *.fbcdn.net - 13 entries
1.
1.
CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, S=California, C=US
06.11.2019

04.02.2020
118 days expired
*.facebook.net, *.facebook.com, *.m.facebook.com, facebook.com, *.fb.com, *.xy.fbcdn.net, *.xz.fbcdn.net, fb.com, *.messenger.com, *.fbsbx.com, *.xx.fbcdn.net, messenger.com, *.fbcdn.net - 13 entries

KeyalgorithmEC Public Key (256 bit, prime256v1)
Signatur:SHA256 With RSA-Encryption
Serial Number:0473D08408644DDFA97E309B5BF460C3
Thumbprint:A427D49C21BDB6E452B3F8D6DE25793A8C0E452A
SHA256 / Certificate:6b47527yFgWESLcNliQ62xttswIlVATQuZG6ugA4Br0=
SHA256 hex / Cert (DANE * 0 1):e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA256 hex / PublicKey (DANE * 1 1):15df6b66319ce9b80622eb939d9d89b61ea07e8763c303f9820a2efab0c1e56a
SHA256 hex / Subject Public Key Information (SPKI):1b4bf634d75c65d37161812801fb0ac3890a24315741959dd35d5fe268744abe
SPKI checked via https://v1.pwnedkeys.com/spki-hash:Good: Key isn't compromised
OCSP - Url:http://ocsp.digicert.com
OCSP - must staple:no
Certificate Transparency:yes


2.
CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US
22.10.2013
22.10.2028
expires in 3065 days


2.
CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US
22.10.2013

22.10.2028
expires in 3065 days


KeyalgorithmRSA encryption (2048 bit)
Signatur:SHA256 With RSA-Encryption
Serial Number:04E1E7A4DC5CF2F36DC02B42B85D159F
Thumbprint:A031C46782E6E6C662C2C87C76DA9AA62CCABD8E
SHA256 / Certificate:GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A=
SHA256 hex / Cert (DANE * 0 1):19400be5b7a31fb733917700789d2f0a2471c0c9d506c0e504c06c16d7cb17c0
SHA256 hex / PublicKey (DANE * 1 1):936bfae7bc41b0e55ed4f411c0eb07b30ddbb064f657322acf92bee7db0d430b
SHA256 hex / Subject Public Key Information (SPKI):52d4ef822ed8221c2cc1104485d0c52e7d01dd0a6ecda08204f3784cec3f4daf
SPKI checked via https://v1.pwnedkeys.com/spki-hash:Good: Key isn't compromised
OCSP - Url:http://ocsp.digicert.com
OCSP - must staple:no
Certificate Transparency:no


3.
CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
10.11.2006
10.11.2031
expires in 4179 days


3.
CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
10.11.2006

10.11.2031
expires in 4179 days


KeyalgorithmRSA encryption (2048 bit)
Signatur:SHA-1 with RSA Encryption
Serial Number:02AC5C266A0B409B8F0B79F2AE462577
Thumbprint:5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
SHA256 / Certificate:dDHl9MPBzkaQd08LYeBUQIg7qaAe0Aumq9eAbtOxGM8=
SHA256 hex / Cert (DANE * 0 1):7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf
SHA256 hex / PublicKey (DANE * 1 1):5a889647220e54d6bd8a16817224520bb5c78e58984bd570506388b9de0f075f
SHA256 hex / Subject Public Key Information (SPKI):fd7961a0192a5cad26b74160a14732cf8625b6e21d65b4faf7bc5c2f968f5a33
SPKI checked via https://v1.pwnedkeys.com/spki-hash:Good: Key isn't compromised
OCSP - Url:
OCSP - must staple:no
Certificate Transparency:no



10. Last Certificates - Certificate Transparency Log Check

1. Source CertSpotter - active certificates (one check per day)

No CertSpotter - CT-Log entries found


2. Source crt.sh - old and new certificates, sometimes very slow - only certificates with "not after" > 2019 are listed

No CRT - CT-Log entries found


11. Html-Content - Entries

No Html-Content entries found. Only checked if https + status 200/401/403/404


12. Nameserver - IP-Adresses (alpha)

Required Root-climbing DNS-Queries to find ip addresses of all Name Servers:

No NameServer - IP address informations found. The feature is new (2020-05-07), so recheck this domain.


13. CAA - Entries

No CAA entries found


14. TXT - Entries

No TXT entries found


15. Portchecks

No Port checks



Permalink: https://check-your-website.server-daten.de/?i=bf412957-2417-4939-af97-f604d97c8166


Last Result: https://check-your-website.server-daten.de/?q=157.240.7.20%3a443 - 2020-05-05 05:32:35


Do you like this page? Support this tool, add a link on your page:

<a href="https://check-your-website.server-daten.de/?q=157.240.7.20%3a443" target="_blank">Check this Site: 157.240.7.20:443</a>