Why have I a secondary certificate?

Help
#1

Hello,
I'm hosting several websites at home behind Nginx Reverse Proxy that handles HTTPS and certificates.
My problem is on some of them I can see a secondary certificate being called. For exemple if I go test my website domain.xyz on SSL Labs it shows a secondary website for anotherdomain.xyz.
I know there has to be something I did wrong and I be happy to learn how to improve.

Thanks for any answers you can give

My domain is: www.notarobot.fr

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Debian Buster in LXC container

My hosting provider, if applicable, is: myself with Proxmox

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

2 Likes
#2

The secondary certificate is because of something called SNI.

A long time ago, it wasn't possible to have more than one SSL website per IP address. Your browser would connect to the server, and it'd receive one certificate, no matter what domain it asked for.

When SNI was invented, browsers gained the ability to ask for a certain domain when connecting using SSL. This allowed multiple SSL websites to exist on one IP address.

The secondary certificate you see is the certificate you would get if your browser didn't support SNI, or if the server didn't have a certificate for the specific domain you were connecting to.

it's basically a legacy aspect of SSL. Nothing to worry about.

3 Likes
#3

Hi @Notarobot

there is nothing wrong, the result is expected.

  • Old: One ip -> one (default) certificate. So if you have a lot of vHosts with the same ip, you must create one certificate with all domain names. That can't work if one ip has thousands of domains (shared hosting).

  • New: One ip, webserver uses Server Name Indication (SNI), browser sends the host name, webserver selects the correct certificate. Result: One ip, thousands of different vHosts with different certificates are possible.

So the "other certificate" is the default certificate of that webserver. And your website requires SNI - see https://check-your-website.server-daten.de/?q=notarobot.fr#connections

2020-10-04.notarobot.fr
2020-10-04.notarobot.fr1141×734 52.4 KB

Checking the domain there is a certificate with that domain name. Checking the ip via https there is a different certificate sent back. So your domain certificate isn't the default certificate, so your domain requires SNI.

3 Likes
#4

Thanks you much for those thorough answers. So there's nothing to worry about if I read correctly ? What determines which domain certificate is used "by default" ?

2 Likes
#5

Compare your vHosts. Your system has the answer.

1 Like