Not sure if this is the right place to ask, but if I use openssl s_client -connect host:443 when the host is a virtual hostname behind a common IP, the CN is always the main hostname and not the host I am checking on.
For eg: I have bic.nus.edu.sg which has an IP address 22.214.171.124. It has its own cert in /etc/letsencrypt/live/bic.nus.edu.sg.
Then I have biomolfrontiers.nus.edu.sg which is a name-virtualhost and also points to 126.96.36.199, apache knows to point it to its own document root based on the hostname. It also has its own cert in /etc/letsencryp/live/biomolfrontiers.nus.edu.sg.
When I do a from the command line:
openssl s_client -connect biomolfrontiers.nus.edu.sg:443
the CN refers to the main bic.nus.edu.sg cert. I googled and found I need to add the -servername argument to get it to refer to the biomolfrontiers cert
However, its still referring to the main bic.nus.edu.sg cert.
If the different domains have different IPs on the same machine then its fine. Its only when all the domains point to the same IP that there is an issue.
I’m unsure if this is just for LE certs only or its a generic problem. If its generic I apologize for posting here. The servers I tested the command on are all the latest linux from Slackware to Ubuntu - all return the CN of the main host and not the name-virtualhost.