Two separate certbot-generated certificates "interfering" with each other


#1

I created two separate certificates using certbot for two separate domains, giftyweddings.com and cdnupload.com. The first certificate looks fine, with common name giftyweddings.com and alternate names giftyweddings.com, www.giftyweddings.com. But SSL Labs shows that the second certificate I created, for cdnupload.com/www.cdnupload.com, contains the certificate for that domain PLUS the giftyweddings.com certificate as “Certificate #2”. Browsers don’t seem to care about this, but I’d like to know how I can create the separate separate certificates without the giftyweddings.com injecting itself into the cdnupload.com one.

The certbot command lines I’m using are:

sudo /usr/local/bin/certbot certonly --webroot -w /var/www/html/giftyweddings.com -d giftyweddings.com -d www.giftyweddings.com

sudo /usr/local/bin/certbot certonly --webroot -w /var/www/html/cdnupload.com -d cdnupload.com -d www.cdnupload.com

Links to the SSL Labs reports are:

I could also create a single certificate for all four domains/subdomains, but that seems non-ideal too, as then the common name for cdnupload.com would be “giftyweddings.com” and that seems weird.

Any idea why the two certs are “interfering” with each other and how to fix that? Or any other recommendations or best practices?


#2

There is no interference I can see.

I assume you are looking at the “no SNI” certificate. This is essentially when just using your IP address for very old browsers where every https needed to be on a different IP address, and you have multiple domains on the same IP address.


#3

Aha, thank you! I misinterpreted what that meant. I see now that it’s what a browser/client without SNI support would see (which would be the first certificate that Apache serves, the one for giftyweddings.com), not that there are actually two certificates bundled into one and interfering with each other. “Problem” solved, thank you.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.