Unusual Certificate Behaviour?

Canadian · June 24, 2021, 10:08pm

When Let's Encrypt issued their DST Root CA X3 Expiration notice last month, I was curious to check out the changes. As I was delving into it, I checked my own certificates and noticed something which I have been unable to figure out.

We have a number of webservers, Apache & Nginx, with each one hosting several websites and each vhost gets it's own certificate. Works well, no problems, except for maybe the behaviour I will explain.

When I used the SSLabs certificate checker, the first domain, in alphabetical order, has it's typical certificate applied, but each domain after that, not only has it's own certificate, but a second certificate. Additionally it also shows an error of server mismatch on that second certificate.

For example, the first domain (alphabetically) using the SSLabs cert checker looks fine.

But then if I check on another domain, and scroll further down until I reach Certificate #2: RSA 2048 bits (SHA256withRSA), which the first domain does not have. But I can't figure out why only one domain has only one certificate, while the rest have two. And as I mentioned earlier, there's a server mismatch which identifies the first domain as the alternate, even though it's nowhere in the vhost. Unless I'm missing something.

If anyone can explain it to me, I would greatly appreciate it.

_az · June 24, 2021, 10:13pm

It's because 20secondsecret.com is the default certificate on your IP address, when no SNI name (or one that does not exist) is sent by the client in the connection request.

You can even see the "No SNI" note on the second certificate in SSL Labs.

This is very much a legacy thing. One could argue that SSL Labs shouldn't show the non-SNI certificate at all. These days, all browsers and other clients include an SNI name.

The only time it might legitimately come up, is if you try to connect to a domain that doesn't have a certificate, over HTTPS. Instead of getting the site you expect, you will see the site which has the default certificate slot. (It would be a lot better if the webserver just rejected the request, but that's an argument for another time.)

Canadian · June 24, 2021, 11:00pm

Ah OK, that makes sense. Alright TYVM.

system · July 24, 2021, 11:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Newb question about shared hosting and a second certificate appearing in SSL Labs results Help	6	2008	January 22, 2017
Another certificate showing up on SSL Labs Help	26	1802	September 14, 2023
Multiple SSLs on same domain Help	2	362	February 7, 2023
Alternative names issue Help	4	3622	March 8, 2018
SSL Test gives back a second certificate Server	10	5516	August 23, 2018

Unusual Certificate Behaviour?

Related topics