SSL Test gives back a second certificate


#1

Hello,
at the moment I’m improving my SSL setup for all my domains. :chains:
I saw here Incorrect order and Extra certificate error that I can get help for apache+let’s encrypt issues on this forum.
When I used the ssllabs.com test, it says something about a second certificate that my server sent. I have an A+ score, but it still annoys me that my server sends a second certificate for one of my other domains.

Example: I tested isitef.com and when you scroll down you see Certificate #2 which is issued to drgn.li (one of my other domains running on the same server)

Why does apache send that second certificate and why is it that domain? I couldn’t find anything in the apache conf and ssl conf.
I hope somebody can help me with this.


#2

Hi,

That means you are using SNI, and drgn.li is your primary site on that IP.

In order to remove that, configture one site (https / to) on each IP…

Apache identify SNI primary certificate based on the alphabetical order of vHosts.

Thank you


#3

Ohhh okay… I’m hosting from home, so unique IPs are not gonna be possible. Thanks for the super fast reply!


#4

Hi @DatDraggy

this isn’t really a problem.

Your site uses SNI. But SSLLabs tests what happens, if your browser doesn’t understand SNI.

Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI

Theoretical, you can create a certificate with all of your domain names and send this with your default configuration.


#5

Hello @JuergenAuer

Yes, that was my old setup, but because I also host domains for friends I decided it would be better to seperate these certificates so that people can’t just look in the certificate and figure out what domains I have directing to my server.

Thank you both for the replies.


#6

Yes, because of this I wouldn’t do that. :wink:


#7

I thought so as well. Well, drgn.li is only a URL shortener that doesn’t even work correctly anymore, so it’s not too bad, :laughing:


#8

Too late… People can just look at the old certificates:
https://crt.sh/?id=81220599


#9

But most people won’t care / don’t know where to look…


#10

Yea that’s fine. Not like there’s some weird xxx or other shady site in there so I don’t mind that much


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.