Why is site serving different SSL certs to different browsers?

Posted by TRiG on Server Fault See other posts from Server Fault or by TRiG
Published on 2012-11-16T11:11:01Z Indexed on 2012/11/19 17:02 UTC
Read the original article Hit count: 511

The SSL certificate on menswearireland.com and on www.menswearireland.com works fine on Safari, Chrome, SeaMonkey, K-Meleon, QtWeb, Firefox, and Opera. However, Internet Explorer claims that there is an error:

The security certificate presented by this website was not issued by a trusted certificate authority. The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)

Another site hosted on the same managed server shows no errors: achill-fieldschool.com and www.achill-fieldschool.com work fine on IE, even though as far as I can tell the certificate is set up identically.

What am I doing wrong?

This is a LAMPP server running Plesk.

It looks like the server is showing different certificates to different clients. To some clients it shows a RapidSSL certificate made out to www.menswearireland.com with menswearireland.com as a valid alternative name. To other clients, it shows a Parallels Panel certificate, made out to Parallels Panel. Here are results from a few different online SSL checkers: most say it's fine, while two show errors.

Three online checkers say it's valid

Comodo SSL Check shows it as valid

Comodo SSL Check shows it as valid

DigiCert SSL Check shows it as valid

DigiCert SSL Check shows it as valid

SSL Shopper SSL Check shows it as valid

SSL Shopper SSL Check shows it as valid

Common name: www.menswearireland.com
SANs: www.menswearireland.com, menswearireland.com
Valid from October 2, 2012 to November 4, 2013
Serial Number: 559425 (0x88941)
Signature Algorithm: sha1WithRSAEncryption
Issuer: RapidSSL CA

Another online checker seems to see a completely different certificate

GeoCerts SSL Check shows it as invalid

GeoCerts SSL Check shows it as invalid

Common name: Parallels Panel
Organization: Parallels
Valid from August 15, 2012 to August 15, 2013
Issuer: Parallels Panel

Another online checker sees more than one certificate

Symantic SSL Check shows it as invalid

Symantic SSL Check shows it as invalid

The certificate installation checker connected to the Web server and read its certificates, but could not determine which is the primary certificate for the Web server.

Incidentally, on both menswearireland.com and achill-fieldschool.com the homepage will redirect from HTTPS to HTTP. To see SSL details, visit the page /account on both (that page will redirect from HTTP to HTTPS).


I’ve found more information in a more detailed online SSL checker.

https://www.ssllabs.com/ssltest/analyze.html?d=menswearireland.com

This site works only in browsers with SNI support

My understanding is that SNI (RFC 6066) is a method for putting many SSL sites on one shared IP address and port. This does not work on Internet Explorer on older versions of Windows (this has to do with the version of Windows, not the version of Internet Explorer). However, all our SSL sites are on a unique IP address, so we shouldn’t need SNI.

© Server Fault or respective owner

Related posts about ssl-certificate

Related posts about internet-explorer