Unusual Certificate Behaviour?

When Let's Encrypt issued their DST Root CA X3 Expiration notice last month, I was curious to check out the changes. As I was delving into it, I checked my own certificates and noticed something which I have been unable to figure out.

We have a number of webservers, Apache & Nginx, with each one hosting several websites and each vhost gets it's own certificate. Works well, no problems, except for maybe the behaviour I will explain.

When I used the SSLabs certificate checker, the first domain, in alphabetical order, has it's typical certificate applied, but each domain after that, not only has it's own certificate, but a second certificate. Additionally it also shows an error of server mismatch on that second certificate.

For example, the first domain (alphabetically) using the SSLabs cert checker looks fine.

But then if I check on another domain, and scroll further down until I reach Certificate #2: RSA 2048 bits (SHA256withRSA), which the first domain does not have. But I can't figure out why only one domain has only one certificate, while the rest have two. And as I mentioned earlier, there's a server mismatch which identifies the first domain as the alternate, even though it's nowhere in the vhost. Unless I'm missing something.

If anyone can explain it to me, I would greatly appreciate it.

1 Like

It's because 20secondsecret.com is the default certificate on your IP address, when no SNI name (or one that does not exist) is sent by the client in the connection request.

You can even see the "No SNI" note on the second certificate in SSL Labs.

This is very much a legacy thing. One could argue that SSL Labs shouldn't show the non-SNI certificate at all. These days, all browsers and other clients include an SNI name.

The only time it might legitimately come up, is if you try to connect to a domain that doesn't have a certificate, over HTTPS. Instead of getting the site you expect, you will see the site which has the default certificate slot. (It would be a lot better if the webserver just rejected the request, but that's an argument for another time.)


Ah OK, that makes sense. Alright TYVM.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.