Vhost without certificate tries to use the one of another vhost


#1

Hello !

On my server (Debian Stretch), there are 2 vhosts :

sub.example1.com
sub.example2.com

only sub.example1.com has a Letsencrypt certificate (and it works).

sub.example2.com has no certificate

Nevertheless, checking sub.example2.com on a ssl tester (such as https://www.ssllabs.com/ssltest/analyze.html?d=s2.example.com) reveals that he tries to use the certificate of sub.example1.com (of course, it fails as the names mismatch).

Is it a normal behaviour or is it due to a misconfiguration ? Should I give more details ?

Thanks


#2

Yes, it’s normal.

Web servers are typically designed to pick some certificate as a default – often the first one in the configuration – to use when they receive requests for unrecognized (HTTPS) server names.

It should be fine and shouldn’t matter much.

Some very obsolete clients will always use the default certificate, even when you have another virtual host that would match.


#3

If you don’t want any “unmatched” connections you will have to explicitly accept them all and serve them something.
Try adding a vhost file with something like this:

### serve all connections that are unmatched by any other vhost config ###
server {
listen *:80 default_server;
listen *:443 ssl default_server;
server_name _none_;
ssl_ciphers ALL;
### ssl cert and key must pair to each other ###
ssl_certificate <path to any cert (preferrably a bogus cert)>
ssl_certificate_key <path to corresponding key>
### ssl cert and key must pair to each other ###
location / {
return 404 ' Site $host is not served here. ';
}
}


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.