I don’t know whether I’m analyzing the problem correctly, so let me just describe, what happens:
I have a hosted site with one IP. I bought a commercial certificate (DigiCert) I established this certificate in /etc/apache2/certs/ and gave the main site a http Redirect permanent that redirects every http://www.mydomain.tld/ to https://www.mydomain.tld/.
When I analyze the site using a command like:
openssl s_client -connect www.mydomain.tld:443 < /dev/null | openssl x509 -noout -text | grep -C3 -i dns
the SANs are listed like as specified when ordering the cert.
DNS:mydomain.tld, DNS:www.mydomain.tld, DNS:mail.mydomain.tld, DNS:smtp.mydomain.tld
When I enter the command:
openssl s_client -connect mydomain.tld:443 < /dev/null | openssl x509 -noout -text | grep -C3 -i dns
I’m getting the SANs that I entered when requesting the letsencrypt certificate. All fine so far.
But, when I open the site URL https://mydomain.tld/ in a browser (FF), I’m getting the yellow alarm window of Firefox, saying that the site may have an insecure certificate.
When I open the details, I see that it is the letsencrypt certificate with the common name
mydomain.tld
But for this domain I have provided the DigiCert Certificate.
How comes this intermixing?