SSL Test gives back a second certificate

DatDraggy · July 24, 2018, 2:20pm

Hello,
at the moment I’m improving my SSL setup for all my domains.
I saw here Incorrect order and Extra certificate error that I can get help for apache+let’s encrypt issues on this forum.
When I used the ssllabs.com test, it says something about a second certificate that my server sent. I have an A+ score, but it still annoys me that my server sends a second certificate for one of my other domains.

Example: I tested isitef.com and when you scroll down you see Certificate #2 which is issued to drgn.li (one of my other domains running on the same server)

Why does apache send that second certificate and why is it that domain? I couldn’t find anything in the apache conf and ssl conf.
I hope somebody can help me with this.

stevenzhu · July 24, 2018, 2:23pm

Hi,

That means you are using SNI, and drgn.li is your primary site on that IP.

In order to remove that, configture one site (https / to) on each IP...

Apache identify SNI primary certificate based on the alphabetical order of vHosts.

Thank you

DatDraggy · July 24, 2018, 2:24pm

Ohhh okay... I'm hosting from home, so unique IPs are not gonna be possible. Thanks for the super fast reply!

JuergenAuer · July 24, 2018, 2:27pm

Hi @DatDraggy

this isn't really a problem.

Your site uses SNI. But SSLLabs tests what happens, if your browser doesn't understand SNI.

Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI

Theoretical, you can create a certificate with all of your domain names and send this with your default configuration.

DatDraggy · July 24, 2018, 2:29pm

Hello @JuergenAuer

Yes, that was my old setup, but because I also host domains for friends I decided it would be better to seperate these certificates so that people can't just look in the certificate and figure out what domains I have directing to my server.

Thank you both for the replies.

JuergenAuer · July 24, 2018, 2:31pm

Yes, because of this I wouldn't do that.

DatDraggy · July 24, 2018, 2:32pm

I thought so as well. Well, drgn.li is only a URL shortener that doesn't even work correctly anymore, so it's not too bad,

tob · July 24, 2018, 7:34pm

Too late… People can just look at the old certificates:
https://crt.sh/?id=81220599

stevenzhu · July 24, 2018, 7:57pm

But most people won’t care / don’t know where to look…

DatDraggy · July 24, 2018, 8:11pm

Yea that’s fine. Not like there’s some weird xxx or other shady site in there so I don’t mind that much

system · August 23, 2018, 8:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Second certificate in SSL Test and no SNI support Help	4	4332	April 4, 2020
Multiple SSLs on same domain Help	2	363	February 7, 2023
Unusual Certificate Behaviour? Help	3	377	July 24, 2021
Another certificate showing up on SSL Labs Help	26	1879	September 14, 2023
Two certificates showing up? Help	3	749	October 22, 2018

SSL Test gives back a second certificate

Related topics