0

This is a little hard to get across, so apologies if it's unclear.

I have been asked by a client to install an ssl cert on a domain that lives on a server he looks after. There are multiple domains pointing to the same server. Someone before me has used certbot to install a cert for one domain: elitemi.co.uk. I used certbot to create a certificate for another domain print4.co.uk. On running a test https://www.ssllabs.com/ssltest/analyze.html?d=print4.co.uk the first cert is valid, but there is a secondary cert with the common name of elitemi.co.uk.

This is causing issues with outlook and other services, and I just want rid of it! I have checked the config for print4.co.uk and it doesn't have an entry for the other cert, and as far as I can see there are no defaults set for nginx or nginx.conf to point to the elitemi cert. I'm out of ideas and the guy who set the first one up can't remember what he did.

So my question is how to find out why the second cert is even being looked at and how to get rid of this connection.

Ben Harvey
  • 111
  • 1
  • 1
    It's likely that the certificate file that you believe is `print4.co.uk` also contains the certificate for `elitemi.co.uk`. – Torin Jan 29 '18 at 11:25
  • @TorinCarey When I run the test on `elitemi.co.uk` , it doesn't report `print4.co.uk` as part of the cert. Would it flag this up? Is there a way to check this? – Ben Harvey Jan 29 '18 at 11:27
  • The certificate file for `elitemi.co.uk` could just contain that. Whereas it's possible that you've accidentally appended/prepended that same certificate to the `print4.co.uk` cert file. Could you paste the contents of the *public* `print4.co.uk` file? – Torin Jan 29 '18 at 11:29
  • Sorry I've completely missed that the second certificate was labelled (No SNI), see answer. – Torin Jan 29 '18 at 11:44

1 Answers1

0

The website is fine.

Since you're using multiple certificates on the same IP address, the server needs to know which website the client is connecting to during the TLS handshake (since the Host header comes after the handshake during the HTTP transmission). The way the server knows which certificate the client wants to see is through Server Name Indication (SNI). The reason you're seeing two certifcates is that the second elitemi.co.uk certificate is used when the client hasn't specified a hostname.

This is normal activity and you shouldn't be worried.

Torin
  • 462
  • 1
  • 3
  • 7
  • Ah, that makes sense. Like the 'default' path. The client is having issues with Outlook webmail rejecting the security cert because it's getting one in another name. I checked the certs and noticed that elitemi was using tls-sni-01 for a challenge as opposed to HTTP-01 for all others. I think this is an installation issue so have replaced the cert and will do more research on SNI – Ben Harvey Jan 29 '18 at 12:17
  • I can't see why the challenge would make a difference. You'll have to supply more information of what you mean when you say outlook doesn't work. It sounds like the client just isn't using SNI. – Torin Jan 29 '18 at 12:26
  • The information I have to go on is vague at best. The default ssl cert was the only thing I had to go on. Waiting for more information from client but I will update. Currently looking for a way to remove the No SNI result or at least say there isn't a cert available when SNI isn't enabled on a request. – Ben Harvey Jan 29 '18 at 12:32