Web servers are typically designed to pick some certificate as a default – often the first one in the configuration – to use when they receive requests for unrecognized (HTTPS) server names.
It should be fine and shouldn’t matter much.
Some very obsolete clients will always use the default certificate, even when you have another virtual host that would match.
If you don’t want any “unmatched” connections you will have to explicitly accept them all and serve them something.
Try adding a vhost file with something like this:
### serve all connections that are unmatched by any other vhost config ### server { listen *:80 default_server; listen *:443 ssl default_server; server_name _none_; ssl_ciphers ALL; ### ssl cert and key must pair to each other ### ssl_certificate <path to any cert (preferrably a bogus cert)> ssl_certificate_key <path to corresponding key> ### ssl cert and key must pair to each other ### location / { return 404 ' Site $host is not served here. '; } }