Not sure if this is the right place to ask, but if I use openssl s_client -connect host:443 when the host is a virtual hostname behind a common IP, the CN is always the main hostname and not the host I am checking on.
For eg: I have bic.nus.edu.sg which has an IP address 137.132.19.100. It has its own cert in /etc/letsencrypt/live/bic.nus.edu.sg.
Then I have biomolfrontiers.nus.edu.sg which is a name-virtualhost and also points to 137.132.19.100, apache knows to point it to its own document root based on the hostname. It also has its own cert in /etc/letsencryp/live/biomolfrontiers.nus.edu.sg.
the CN refers to the main bic.nus.edu.sg cert. I googled and found I need to add the -servername argument to get it to refer to the biomolfrontiers cert
However, its still referring to the main bic.nus.edu.sg cert.
If the different domains have different IPs on the same machine then its fine. Its only when all the domains point to the same IP that there is an issue.
I’m unsure if this is just for LE certs only or its a generic problem. If its generic I apologize for posting here. The servers I tested the command on are all the latest linux from Slackware to Ubuntu - all return the CN of the main host and not the name-virtualhost.
This is in all likelihood a problem with your apache configuration. Would you mind sharing both of your <VirtualHost> config files?
You’ll want to make sure that the SSL directives for your biomolfrontiers.nus.edu.sg vhost are pointing to the certificates in /etc/letsencrypt/live/biomolfrontiers.nus.edu.sg, and the ones for bic.nus.edu.sg should point to /etc/letsencrypt/live/bic.nus.edu.sg. The ServerName directives need to be set correctly as well.
I think its somehow resolving the host.domain to IP and then getting the cert of that IP which is the main host. The -servername is supposed to fix that from what I read, but it doesn’t seem to be working.
Apache doesn’t seem to think that the biomolfrontiers.nus.edu.sg vhost is what should be used to serve that domain - it’s going with the bic.nus.edu.sg vhost instead. You can verify this by simply visiting the site via HTTPS - it’ll show the same content, while you’ll see something else via HTTP. For all intents and purposes, think about this as an apache configuration issue, nothing related to certificates.
I’m not entirely certain whether that _default_:443 in your first vhost is correct here - maybe try changing that to *:443 as well. You’ll probably want to make sure that you have a NameVirtualHost *:443somewhere in your apache configuration (I think it should be in /etc/apache2/ports.conf on Debian/Ubuntu, not sure about others).