<

pwnrzclb debug-logs mTLS client

Mutually-authenticated TLS access to /debug_logs on pwnrzclb.net:8443. The server requires a client certificate signed by a private CA. Without one, :8443 rejects with HTTP 400.

You should have received a pwnrzclb-debug-client.p12 bundle and its passphrase out-of-band. Subject: CN=clima-debug-client. Validity: 10 years from 2026-05-14.

Use with curl

curl --cert-type P12 \
     --cert ~/pwnrzclb-debug-client.p12:'<passphrase>' \
     https://pwnrzclb.net:8443/debug_logs

Use with a browser

Browser will prompt to pick a cert on first visit to :8443/debug_logs.

Use with Chrome on Linux

Chrome on Linux reads client certs from the NSS shared database at ~/.pki/nssdb, not the system trust store. Import the .p12 with pk12util:

sudo apt install libnss3-tools           # provides pk12util / certutil
mkdir -p ~/.pki/nssdb
certutil -d sql:$HOME/.pki/nssdb -N --empty-password   # one-time, if db is new
pk12util -d sql:$HOME/.pki/nssdb -i ~/pwnrzclb-debug-client.p12
# Enter the .p12 passphrase when prompted; leave the NSS password blank.

Verify it's there:

certutil -d sql:$HOME/.pki/nssdb -L

Restart Chrome, then visit https://pwnrzclb.net:8443/debug_logs. Chrome will pop a "Select a certificate" dialog. Pick clima-debug-client.

To remove it later:

certutil -d sql:$HOME/.pki/nssdb -D -n "pwnrzclb debug client"

What /debug_logs actually returns

The endpoint runs a two-pass scan of the per-IP access logs and the nginx debug stream:

  1. Find every connection ID (*N) on lines that mention your IP.
  2. Emit every line that mentions your IP or any of those connection IDs.

This is the same algorithm /logs used to run before it was simplified.