Different SSL certificates are shown depending on which VPN server is used

[alphastep 0]

First of all, let me give a warning that in this post I will mention several URLs that contain adult content which is not suitable for work (NSFW), and also people who are offended by gay pornographic material should avoid clicking on these links.

I have several WordPress blogs which are all installed on the same IP address, on a shared hosting in USA. The main and most important blog (roughstraightmen.com) has a bought Sectigo SSL certificate, whereas all the others have the free Let's Encrypt certificates (e.g. justman2man.com or malefeetshrine.com).

About 10 days ago I noticed that one free Let's encrypt certificate on a domain was giving me an error in Android browsers, so I asked my hosting to correct that error. They did that, however, after that I noticed that I would always get the wrong certificate for my main blog roughstraightmen.com if I used certain VPN servers from AirVPN.

Only one AirVPN server shows the correct Sectigo certificate for that blog - AIN in Stockholm Sweden. If I choose any other VPN server, such as for instance Hercules in USA or Ogma in Germany, my Android browsers such as Chrome or Firefox always report the Let's Encrypt certificate instead of the Sectigo certificate.

Please take a look at the test results for the SSL certificate for that domain (it may take a couple of minutes for the test to complete)

https://www.ssllabs.com/ssltest/analyze.html?d=www.roughstraightmen.com&latest

It appears that that domain has several certificates besides the Sectigo one, for example this one:

Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI

And apparently it is that certificate that is shown whenever I use any of the AirVPN servers except for Ain in Stockholm Sweden

My hosting had this to say about that fact:


Maybe the mix-up that you see is due to SNI and caching from each of those host. All these domains are in the same IP address with the Sectigo SSL and the multi-domain SSL from Let's encrypt. If these changes was just recently updated where it started this issue, then I would give it maybe 24-48hrs to completely check again everything. 

Or if you want, If it's causing this much issue, what we could suggest is to assign a dedicated IP address for the domain that has a Sectigo SSL Certificate. That way it has its own dedicated IP address and will not conflict on the other domains with Let's Encrypt SSL Certificates.

And also they said this about the test results from the above mentioned SSL testing site:

This site is performing two different checks to get the two certificates. The first is if you call the site's IP and specifically request the site name roughstraightmen.com

The second certificate is if you call the site's IP and do not request a site, it gives the default site for the IP, which is a certificate with multiple names covering several domains in the roughstr account.

The third certificate is an intermediate certificate vouching for the authenticity of the first two, and is needed as part of SSL certificate by the end system.

The fourth certificate is the "root" certificate, which vouches for the third certificate and is also stored in most modern operating systems' certificate stores as a certificate that can be trusted, this completing the chain.


If I do not use any VPN server, but just use my regular internet provider IP to access roughstraightmen.com, I always get the correct Sectigo certificate in all android browsers (except for the Tor browser, which also shows Lets Encrypt certificate, regardless of whether I use VPN or just my internet provider IP).

Also, please note that it does not matter which browser is used, nor does it matter if I connect through the UDP or TCP protocol. Please note that on my Android phone I use the application called "OpenVPN connect" and I import .ovpn files that are generated by this site airvpn.org.

As far as I know, this strange behavior with wrong SSL certificates being shown when VPN servers are used had not happened before my hosting tried to correct some SSL error 10 days ago. Now they say that everything is fine with my certificates and that they cannot correct it or make it function any better anymore. They say that this error is due to AirVPN or some misconfiguration on their servers, possibly something that has to do with cashing.

So, does anyone have any idea why I always get the wrong certificate (Let's encrypt) instead of Sectigo when I use most of the AirVPN servers ( the only exception being the Ain server in Stockholm Sweden)? As far as I know, the IP address should not have any impact on which certificate for a website is shown in the browser. Is this, in your opinion, some misconfiguration on the level of my hosting or something that is caused by AirVPN servers?

[OpenSourcerer 1409]

Huh. That one LE cert is valid for a veeery wide range of domains, including *.roughstraightmen.com. Is this intended? Maybe that's where the error lies?
The SSL config of Apache from the server would also be interesting to look at. Or maybe all the relevant config. I think the LE cert is configured somwhere to be sent by default.

It is interesting that the LE cert is sent over VPN and Sectigo over plain, but… I don't see how an OpenVPN server could have anything to do with that choice. It's simply forwarding traffic.

[Staff 9893]

Hello!

We 100% confirm what @OpenSourcerer wrote. If we assumed that the "selection" is not performed by some source outside AirVPN, the reported behavior would be inexplicable. We can only confirm that we do not alter traffic payload in any way (and we can't do it, not even if we wanted to, when you have end-to-end encryption). So we are reasonably convinced that it is caused by something outside AirVPN, and this something (a web server?) modifies its behavior according to the source which accesses the resource.

Kind regards