I am running a Wordpress multsite installation with subdirectories mapped to domains. Each domain has its own LetsEncrypt certificate in the same folder, which works ine during web requests, but causes a problem when running Python scripts on the main domain. It chooses whichever certificate is most recent, from I can see, which generates an error of the form "SSLError(SSLCertVerificationError("hostname doesn't match..." etc.
Is there a way to have multiple LetsEncrypt certificates on the same site, and yet make one of them the default, regardless of issuance recency?
The straightforward thing to do would be to give the main domain its own certificate as well.
That way, the order/recency of installations does not matter. The webserver will choose the appropriate certificate based on what the requested domain is.
Yes< i had already done that. which worked fine until the other virtual domains were added. It's looks like it's a requests issue in Python, which I discovered by temporarily turning domain/cert matching off. Someone else has suggested checking up on SNI, which I have since done. This is the root of the issue, so now I have a few paths forward.
Thanks. Helped immensely. I had turned off domain/cert verification in my requests call, which temporarily patched it, but the real issue is SNI, as you suggest. Thanks. Will fix.
To be fair, _az was actually leveraging SNI with his suggestion. If the webserver doesn't recognize the domain name being requested, it will serve a "default" certificate, possibly corresponding to the first hostname served by the webserver. This is often the wrong certificate.
Yes, he was. It's just that I already had certificates for all domains; the issue was that domain was serving certificates unpredictability, likely by date of last issed or latest expiry, which was making a mess of things.