multiple SSL cert on same apache host results in wrong cert presented

Question

I have configured an Ubuntu host with Apache 2.4 and multiple domains (a.com and a default of no domain name specified, just an IP). The httpd.conf file contains entries for a default web site (no matching website name in the URL), and one entry for a.com. This works great. I can access the host by IP or A.COM and see 2 different websites.

Next, the default site include an SSL certificate that works fine. I now added a Let's Encrypt cert to my a.com domain, but all attempts to access HTTPS://myIP causes apache to present the certificate associated with the a.com website.

Why is my a.com certificate being presented for the default website?

<VirtualHost _default_:80>
  DocumentRoot "/data/websites/default"
  <Directory "/data/websites/default">
    Options -Indexes +FollowSymLinks
    AllowOverride All
    <IfVersion < 2.3 >
      Order allow,deny
      Allow from all
    </IfVersion>
    <IfVersion >= 2.3 >
      Require all granted
    </IfVersion>
  </Directory>

  # Error Documents
  ErrorDocument 503 /503.html

  # Bitnami applications installed with a prefix URL (default)
  Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

<VirtualHost _default_:443>
  DocumentRoot "/data/websites/default"
  SSLEngine on
SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"

  <Directory "/data/websites/default">
    Options -Indexes +FollowSymLinks
    AllowOverride All
    <IfVersion < 2.3 >
      Order allow,deny
      Allow from all
    </IfVersion>
    <IfVersion >= 2.3 >
      Require all granted
    </IfVersion>
  </Directory>

  # Error Documents
  ErrorDocument 503 /503.html

  # Bitnami applications installed with a prefix URL (default)
  Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

<VirtualHost *:80>
  ServerName a.com
  DocumentRoot "/data/websites/a.com"
  ErrorLog "/data/logs/a.com-error_log"
  CustomLog "/data/logs/a.com-access_log" common
  <Directory "/data/websites/a.com">
    Options -Indexes +FollowSymLinks
    AllowOverride All
    <IfVersion < 2.3 >
      Order allow,deny
      Allow from all
    </IfVersion>
    <IfVersion >= 2.3 >
      Require all granted
    </IfVersion>
  </Directory>
</VirtualHost>


<VirtualHost *:443>
  ServerName a.com
  DocumentRoot "/data/websites/a.com"
  SSLEngine on
  SSLCertificateFile "/data/etc/lego/certificates/a.com.crt"
  SSLCertificateKeyFile "/data/etc/lego/certificates/a.com.key"
  <Directory "/data/websites/a.com">
    Options -Indexes +FollowSymLinks
    AllowOverride All
    <IfVersion < 2.3 >
      Order allow,deny
      Allow from all
    </IfVersion>
    <IfVersion >= 2.3 >
      Require all granted
    </IfVersion>
  </Directory>
  # Error Documents
  ErrorDocument 503 /503.html
  # Bitnami applications installed with a prefix URL (default)
  Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

Answer 1

Two things:

1) HTTPS will not work over IP, as the main purpose of the SSL is to validate the domain name. So checking HTTPS using IP is a wrong approach, instead you could edit "hosts" file on your client machine.

2) Why would you provide SSL certificate for the websites that you don't serve? Because that is what you default statement does. You can leave HTTP (80) requests responded, but it just won't work the way you want with SSL, simply because SSL needs a valid domain name to check against.