Hello,
I'm hosting several websites at home behind Nginx Reverse Proxy that handles HTTPS and certificates.
My problem is on some of them I can see a secondary certificate being called. For exemple if I go test my website domain.xyz on SSL Labs it shows a secondary website for anotherdomain.xyz.
I know there has to be something I did wrong and I be happy to learn how to improve.
The secondary certificate is because of something called SNI.
A long time ago, it wasn't possible to have more than one SSL website per IP address. Your browser would connect to the server, and it'd receive one certificate, no matter what domain it asked for.
When SNI was invented, browsers gained the ability to ask for a certain domain when connecting using SSL. This allowed multiple SSL websites to exist on one IP address.
The secondary certificate you see is the certificate you would get if your browser didn't support SNI, or if the server didn't have a certificate for the specific domain you were connecting to.
it's basically a legacy aspect of SSL. Nothing to worry about.
Old: One ip -> one (default) certificate. So if you have a lot of vHosts with the same ip, you must create one certificate with all domain names. That can't work if one ip has thousands of domains (shared hosting).
New: One ip, webserver uses Server Name Indication (SNI), browser sends the host name, webserver selects the correct certificate. Result: One ip, thousands of different vHosts with different certificates are possible.
Checking the domain there is a certificate with that domain name. Checking the ip via https there is a different certificate sent back. So your domain certificate isn't the default certificate, so your domain requires SNI.
Thanks you much for those thorough answers. So there's nothing to worry about if I read correctly ? What determines which domain certificate is used "by default" ?
