Want to subscribe to topics you're interested in?
Become a Member

Letsencrypt Cert includes a second cert from another vhost

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Andy, Apr 15, 2018.

  1. Andy

    Andy Premium Member Premium Member

    401
    59
    28
    Aug 6, 2014
    Ratings:
    +73
    Local Time:
    8:14 AM
    I got a new dedi box, install centmin latest and use option 2 to create a new vhost/ssl cert for the over30care.com domain.
    Everything went fine and I got 2 conf files over30care.com.conf and over30care.com.ssl.conf

    SSLLabs gave it A+ score.

    I then create a new vhost on the same server for quantnet.org and this time, it will only create one conf file quantnet.org.ssl.conf
    The domain works fine serving everything correctly.

    When I check on SSLLabs, it seems to include the second cert from over30care.com as seen here
    SSL Server Test: quantnet.org (Powered by Qualys SSL Labs)

    I don't remember what options I chose when created cert for over30care but it created 2 conf. When I created cert for quantnet.org, i chose option 4, full live HTTPS.

    @eva2000 do you know why the cert path for the second domain include cert from the first domain? How to fix it? thanks

    Screen Shot 2018-04-14 at 12.00.44 PM.png
     
  2. eva2000

    eva2000 Administrator Staff Member

    35,089
    7,745
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,945
    Local Time:
    10:14 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    that's normal for for SNI based HTTPS usage where multiple HTTPS SSL domains share a single shared IP address Server Name Indication - Wikipedia

    All modern browsers support SNI so that's why ssllabs gives you an A+ and notes This site works only in browsers with SNI support.

    The second ssl domain cert isn't used in SNI supported modern browsers. For older browsers like WinXP IE8 which don't support SNI, then you would have issues as the 2nd cert would be served (which is listed under header Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI). In which case the solution is to have a dedicated IP address per HTTPS domain on the same server - that's why many years ago before browsers supported SNI, it was a valid justification for dedicated IP per HTTPS SSL domain.

    So nothing to do, all is working as it should be.
     
  3. Andy

    Andy Premium Member Premium Member

    401
    59
    28
    Aug 6, 2014
    Ratings:
    +73
    Local Time:
    8:14 AM
    Thank you George. that's a relief.
    I got A+ for over30care but only A for quantnet.org and no issue/warning about the second for the over30care cert. I wonder if the reason is because its cert was generated first and did not include subsequently issued cert.

    Thank you.
     
  4. eva2000

    eva2000 Administrator Staff Member

    35,089
    7,745
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,945
    Local Time:
    10:14 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
..