Newb question about shared hosting and a second certificate appearing in SSL Labs results


#1

I have a site on shared hosting.

When I did an SSL Labs test, it got a grade of “A” but two certificates showed up and it says my site only works in browsers with SNI support. The first cert is the one I installed and the second is a “no SNI” certificate for another website that appears to be on the same shared server at my hosting provider (same IP address and is using same hosting provider and DNS, so am guessing we’re on the same server as well).

When I do an SSL Labs test for the other person’s second site, everything seems fine - my cert doesn’t show up on his test results and his site works on browsers without SNI support. His main certificate has a fingerprint that matches the “no SNI” cert that appears in my test results.

Does anyone know why I’m getting info from his certificate on my test results but he is not getting info from my cert in his results? Is there anything that can be done to fix this?


#2

There’s nothing to fix.

When not using SNI, the server sends a “default” TLS certificate. For some reason, this is (from your story) the certificate of that “another website”. (Thát is actually quite unusual, but can’t say anything about that without knowning the hostnames of the site).

Previously, SSL Labs didn’t report the non-SNI certificate chain so you didn’t know about it. Now, they do for some reason and this can be confusing indeed.

The fact is: modern browsers all use SNI and won’t receive the certificate for that “another website”, just for yours… So you shouldn’t worry about it.


#3

That explains a lot, thank you!


#4

What default cert is usually used for shared hosting providers? I imagine it would be one by the provider rather than for one of the sites on the server.

The site with the default cert is area13.co.uk and its cert covers the following names:

alienspacestation.area13.co.uk
alienspacestation.com
area13.co.uk
mail.alienspacestation.com
mail.area13.co.uk
mail.mattercreation.com
mattercreation.area13.co.uk
mattercreation.com
www.alienspacestation.area13.co.uk
www.alienspacestation.com
www.area13.co.uk
www.mattercreation.area13.co.uk
www.mattercreation.com


#5

They probably “pool” a lot of different sites into one certificate, perhaps one for each customer? I don’t know, just guessing here :stuck_out_tongue: I’m also not an expert of shared hosting providers. I personally would install a “provider specific” certificate as the default cert, but hey, that’s just me (and you aparently :stuck_out_tongue:)


#6

Turns out it was an issue on the hosting provider’s side - for some reason their catch-all cert wasn’t working for the IP my site was on. After their fix, their default cert was listed instead of area13’s.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.