What’s your TLS setup in your nginx.conf, what’s the contents of your certificate files? My nginx-1.11.0 works flawlessly with dual-cert. The only issue I see is OCSP Stapling which for some connections doesn’t work: quite randomly no stapling is provided by the server. This might be due to this https://community.qualys.com/thread/12315 and could be independent from the dual-cert setup.
Here’s the relevant part of my config. With the –manual– preference for ECDSA ciphers, SSL Labs test shows that certificate as the certificate of the site. No issues with the certificate chain either: ssl-ecdsa.pem only contains the ECDSA server certificate and the LE intermediate, just like the ssl-rsa.pem only contains the RSA server certificate and the LE intermediate. I generated trusted.pem like the following: $ cat ssl-ecdsa.pem ssl-rsa.pem > trusted.pem. Note that upcoming SSL versions will prefer ECDSA ciphers automatically, so I won’t have to manually order aECDSA ciphers ahead of aRSA ciphers.
[…]
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE+aECDSA+CHACHA20:ECDHE+aRSA+CHACHA20:ECDHE+aECDSA+AESGCM:ECDHE+aRSA+AESGCM:ECDHE+aECDSA+AES256+SHA384:ECDHE+aRSA+AES256+SHA384:ECDHE+aECDSA+AES256+SHA:ECDHE+aRSA+AES256+SHA';
ssl_ecdh_curve secp384r1;
ssl_certificate /etc/ssl/nginx/mysite/ssl-ecdsa.pem;
ssl_certificate_key /etc/ssl/nginx/mysite/ssl-ecdsa.key;
ssl_certificate /etc/ssl/nginx/mysite/ssl-rsa.pem;
ssl_certificate_key /etc/ssl/nginx/mysite/ssl-rsa.key;
ssl_trusted_certificate /etc/ssl/nginx/mysite/trusted.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver mydns.local valid=300s;
[…]