Just ran an SSL scan against one of my websites and was happy to see it A rated, but going over the details I see two server certificates were detected. One from the vhost and the other from the first vhost file (in alphabetical order) which doesn't apply to the domain I was testing. I'm not sure if they run a second test against the server IP address as that would likely have resulted in this second certificate being presented. Has anyone else seen this on their servers? As a side note, I guess it's high time I ensure the first vhost Apache uses as a catch all is not a client website... SSL Analisys in question: https://www.ssllabs.com/ssltest/analyze.html?d=www.maizymoo.com&s=136.144.140.104
Another case of: I should know to read better. the second cert is listed as [no SNI], which means: Which confirms my hunch... Case closed.