Host does not use SNI
What this means
SNI (Server Name Indication) is an extension of the TLS/SSL protocol that allows a single IP address to host multiple secure (HTTPS) websites, each with its own certificate.
A single web server will often host several domain names, and the IP address alone is not enough to indicate which domain a user is trying to reach.
This can result in the server showing the wrong SSL certificate, which prevents or terminates an HTTPS connection.
The extension makes it possible to specify the hostname, or domain name, of the website during the TLS handshake, instead of when the HTTP connection opens after the handshake.
Why this is a problem
SNI prevents what’s known as a “common name mismatch error” – when a client (user) device reaches the right IP address for a website, but the name on the SSL certificate does not match the name of the website.
Often this kind of error results in a “Your connection is not private” error message in the user’s browser.
How to check if the problem is there
As long as you have a modern operating system and browser, the easiest way is to browse to both websites hosted on a single IP address and see if you’re presented with the correct certificate.
There are 3 different outcomes, you will get one of the following:
- a wildcard certificate (or one with a subjectAltName) which covers both names
- the wrong certificate for at least one of them – either the server does not support SNI or it has been configured wrong
- two different certificates, both for the correct name – SNI is supported and correctly configured
How to fix this
To resolve this error, an administrator should ensure an accurate server SNI configurations and the SSL/TLS certificate corresponds to the hostnames.