You can see that the Subject>commonName = ropeholders.org.
But looking at the X509v3 Subject Alternative Name: area you can see a long list of domains completely unrelated to ropeholders.org, for example 360-dev.bevy.pl.
How can this be explained? Is this a security issue?
Thanks in advance!
I haven't checked, but this could be due to e.g. Cloudflare. Especially in the past (exact current practice is unknown to me) Cloudflare used to pool multiple sites that were using their free tier CDN service into a single certificate. And you had to have a payed service for a certificate for just your own site.
We were using firebase at some point and I think Firebase are using fastly, so perhaps that is the cause.
Is there any security risk in such behavior or its generally common for CDNs to operate in such way?
Yes, it's generally common and not particularly concerning.
Not really beyond the general security risk of using a CDN in general: Your CDN is "in the middle" of the transaction, and so can impersonate your site and monitor the traffic between your users and you. That's basically the service they're selling you, so maybe "security risk" isn't quite the right term, but if they get hacked or have a terrible bug or whatnot, it might impact you in a way that you'd wish you'd have gone with a different provider or hosted it yourself.