SSL Test gives back a second certificate

Hello,
at the moment I’m improving my SSL setup for all my domains. :chains:
I saw here Incorrect order and Extra certificate error that I can get help for apache+let’s encrypt issues on this forum.
When I used the ssllabs.com test, it says something about a second certificate that my server sent. I have an A+ score, but it still annoys me that my server sends a second certificate for one of my other domains.

Example: I tested isitef.com and when you scroll down you see Certificate #2 which is issued to drgn.li (one of my other domains running on the same server)

Why does apache send that second certificate and why is it that domain? I couldn’t find anything in the apache conf and ssl conf.
I hope somebody can help me with this.

Hi,

That means you are using SNI, and drgn.li is your primary site on that IP.

In order to remove that, configture one site (https / to) on each IP...

Apache identify SNI primary certificate based on the alphabetical order of vHosts.

Thank you

1 Like

Ohhh okay... I'm hosting from home, so unique IPs are not gonna be possible. Thanks for the super fast reply!

1 Like

Hi @DatDraggy

this isn't really a problem.

Your site uses SNI. But SSLLabs tests what happens, if your browser doesn't understand SNI.

Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI

Theoretical, you can create a certificate with all of your domain names and send this with your default configuration.

1 Like

Hello @JuergenAuer

Yes, that was my old setup, but because I also host domains for friends I decided it would be better to seperate these certificates so that people can't just look in the certificate and figure out what domains I have directing to my server.

Thank you both for the replies.

Yes, because of this I wouldn't do that. :wink:

I thought so as well. Well, drgn.li is only a URL shortener that doesn't even work correctly anymore, so it's not too bad, :laughing:

1 Like

Too late… People can just look at the old certificates:
https://crt.sh/?id=81220599

1 Like

But most people won’t care / don’t know where to look…

Yea that’s fine. Not like there’s some weird xxx or other shady site in there so I don’t mind that much

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.