I’m finally configuring my websites with certificates. I have several domains and subdomains running as virtual hosts on the same server. When I checked my certificate at SSLlabs.com, I’m seeing that there is a certificate mismatch for my virtual hosts. (unique domains)
Your description of what you see isn’t very precise but I think you might be talking about what happens for clients which don’t implement SNI.
When a user agent (web browser or other software) connects to your web server on a particular IP address, the only way to know which web site it wants to talk to is via a mechanism called Server Name Indication (SNI) which is optional and so missing from older software.
If this is important to you, for example because your visitors often run older browsers or use non-browser software to access the site - then you have two options:
Obtain a single certificate (from Let’s Encrypt or any CA) covering every single name on your server in one, and tell the server to always present this cert. NB customers will be able to see the entire list inside the cert if they look so this has privacy implications.
Obtain (this is likely to be costly) a separate IP address for each site so that the server can tell from IP address alone which site is meant.
If I misunderstood the problem, please explain in more detail what SSL labs says or just link the output page here.
SNI information at SSL labs is what caught my attention. I have been in the process of tweaking my TLS configuration and noticed a Mismatched Cert. Ultimately, the issue was an error in a vhost config file. As I add additional layers to my SSL/TLS configuration, I am sure I’ll run up against more challenges… There’s always lots more to learn.
Thanks for your help.
Rip