Two certificates are returned for a single domain

My domain is:

My operating system is (include version): Fedora 26

According to SSLlabs test tool, my site has two SSL certificates instead of 1. I enabled HTTPS for two domains on the VPN with the same letsencrypt certificate.

Why two certificates returned when the client expects only 1?

Previously, SSL Labs mentioned the second certificate is for the situation without SNI. But for some reason, they are leaving that piece of information away.

When I tested from the CLI, I get the same results:

  • With SNI: openssl s_client -connect -servername | openssl x509 -noout -text
    “X509v3 Subject Alternative Name:,”

  • Without SNI: openssl s_client -connect | openssl x509 -noout -text
    “X509v3 Subject Alternative Name:,,,”.

The latter certificate is probably the “default” certificate of your webserver. In any case, nothing to be worried about, because almost every browser nowadays supports SNI.

1 Like

thanks for the clarification!

As an addition to my post above, I think the “No SNI” label is removed from your second certificate, because this second certificate is also valid for the tested domain!

Most of the time, this second certificate without using SNI is for another (set of) hostname(s) altogether, which would also trigger a “This site only works with SNI” warning at the top of the page. Perhaps the “No SNI” label on the second certificate also is limited to situations where the warning is present.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.