Nginx serving extra ssl certs

Fabian A. Santiago fsantiago at
Sun Mar 12 20:27:58 UTC 2017

On March 12, 2017 3:58:41 PM EDT, Richard Stanway <r1ch+nginx at> wrote:
>Your configs look fine, what you are seeing is the certificate that is
>if a client does not support SNI. You can control which certificate is
>chosen using the default_server parameter on your listen directive.
>On Sun, Mar 12, 2017 at 4:54 PM, Fabian A. Santiago <
>fsantiago at> wrote:
>> Hello nginx world,
>> I hope you can help me track down my issue.
>> First, I'm running:
>> Centos 7.3.1611
>> Nginx 1.11.10
>> Openssl 1.0.1e-fips
>> My issue is I run 11 virtual sites, all listening on both ipv4 & 6,
>> two addresses, so obviously I rely on SNI. One site also listens on
>> When I check the ssl responses using either ssllabs server test or
>> s_client, my sites work fine but also serve an extra 2nd cert meant
>for the
>> wrong hostname. I'm confused as I see no issue with my config files.
>> I've attached a sample of my config files for one site for your
>> You can also check this domain for yourself:
>> Thanks for your help.
>> --
>> Thanks.
>> Fabian S.
>> _______________________________________________
>> nginx mailing list
>> nginx at

Oh, that makes sense. Ok, I guess I just never noticed that before. And also thought that default site wouldn't be sent unless it knew of no SNI already. Thanks. That was easy. 
Fabian S.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 870 bytes
Desc: not available
URL: <>

More information about the nginx mailing list