I’m checking out a website via Qualsys SSLlabs checker and get this cert info, and wondering what it means. Is the site hosted externally with a large ISP perhaps? Or can it be that the server is returning an extra certificate that it shouldn’t be? AFAIK it is hosted internally via Drupal on nginx (sorry for colors that’s this blog engine):
Certificate #1: RSA 2048 bits (SHA256withRSA)
Subject 5638404075159552-fe2.pantheonsite.io
Fingerprint SHA256: 3c664bc10443f04a0d846c92fc0547ee92ff58473a9b7c4501c7e6add610013d
Pin SHA256: Q8h8cEcUrZgQzNTvKB1kgWQ6jigjjQ2Ox0Y7AQ86BZM=
Common names 5638404075159552-fe2.pantheonsite.io
Alternative names 5638404075159552-fe2.pantheonsite.io americartusa.com ascrsfoundation.org assist.ceh.ac.uk beefandlambnz.com bensonrolloff.com blog.angaza.com bluebonnetaquasystems.com career.titustalent.com crires.ulaval.ca cssrc.us dev.chs-urc.org dev.ppfaactioncouncils.org dev.wenturetech.com developer-dev.usga.org developer-qa.usga.org district37.cssrc.us dogtracks.zebradog.com fluffmoo.net fullcircledesign.co gerhartpools.net healthytrees.com housingforward.org hrpro.hr.wa.gov icpvegetation.ceh.ac.uk it.ohiochristian.edu jansson.corvenas.io jwcatering.com kabukisyndrome.com kha.com life.brandless.com limonforassembly.com longdogz.com monkeyfeverrisk.ceh.ac.uk moorlach.cssrc.us mscollision.com myclubhouseparty.com opportunitydetroit.com pacificislandfinancial.com pacislandfinancial.com providencesaintjosephbreasthealth.com rize3d.com sharingsolace.com skylinemarketingdept.com stagestoresunpaidwages.com test.vitanovarehab.com the-eleanor.com thecowboycorner.com themusicrun.com.sg thewawafoundation.org ucdintegrativemedicine.com vehiclebarcodescanner.com vinaesmeralda.com vitanovarehab.com vizientsouthernstates.com walkinthewoodswith.us wdfw.wa.gov wenturetech.com www.americartusa.com www.ascrsfoundation.org www.assist.ceh.ac.uk www.bar-fans.com www.bensonrolloff.com www.bluebonnetaquasystems.com www.crires.ulaval.ca www.cssrc.us www.docklite.com www.farmtreestoair.ceh.ac.uk www.fluffmoo.net www.gerhartpools.net www.griffinservice.com www.healthytrees.com www.housingforward.org www.jwcatering.com www.kabukisyndrome.com www.limonforassembly.com www.longdogz.com www.meetsam.app www.midwestfilm.com www.monkeyfeverrisk.ceh.ac.uk www.moorlach.cssrc.us www.mscollision.com www.myclubhouseparty.com www.opportunitydetroit.com www.pacificislandfinancial.com www.pacislandfinancial.com www.providencesaintjosephbreasthealth.com www.resilientinstitutionsafrica.com www.rize3d.com www.sharingsolace.com www.skylinemarketingdept.com www.stagestoresunpaidwages.com www.the-eleanor.com www.thecowboycorner.com www.themusicrun.com.sg www.thewawafoundation.org www.ucdintegrativemedicine.com www.vehiclebarcodescanner.com www.vizientsouthernstates.com www.wenturetech.com
Serial Number 04943f9e4144e612224d90895e2b3906ff5e
Valid from Thu, 21 Mar 2019 17:07:15 UTC
Valid until Wed, 19 Jun 2019 17:07:15 UTC (expires in 2 months and 24 days)
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer Let's Encrypt Authority X3
AIA: http://cert.int-x3.letsencrypt.org/
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency Yes (certificate)
OCSP Must Staple No
Revocation information OCSP
OCSP: http://ocsp.int-x3.letsencrypt.org
Revocation status Good (not revoked)
DNS CAA No
Trusted Yes Mozilla Apple Android Java Windows
…and…
Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI
Server Key and Certificate #1
Subject *.getpantheon.com
Fingerprint SHA256: 7761023ff4ba4b45c29af354255875ba57d6929179ccd0b7a75861c9685f8f36
Pin SHA256: m1kkceOTfyg+kIV8n2wjmjOE9Owo/gzZ2ySAm0Lvkb8=
Common names *.getpantheon.com
Alternative names *.getpantheon.com *.pantheon.io *.pantheonsite.io pantheonsite.io *.gotpantheon.com gotpantheon.com getpantheon.com **MISMATCH**
Serial Number 06fcb0bbe23732d7bedf562d4367adfd
Valid from Wed, 06 Mar 2019 00:00:00 UTC
Valid until Mon, 30 Mar 2020 12:00:00 UTC (expires in 1 year)
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer DigiCert SHA2 Secure Server CA
AIA: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency Yes (certificate)
OCSP Must Staple No
Revocation information CRL, OCSP
CRL: http://crl3.digicert.com/ssca-sha2-g6.crl
OCSP: http://ocsp.digicert.com
Revocation status Good (not revoked)
Trusted No NOT TRUSTED Mozilla Apple Android Java Windows
Thanks for any insight you can give.