Nginx offers a wrong certificate

whenever i check my domain via command line
openssl s_client -connect sub.domain.tld:443 -status < /dev/null
or via

I will see two certificates.
This also affects OpenHAB, because it is listening on one specific subdomain.
All Subdomains are listening on the same IP.

Lets say the certificate is issued for sub.domain.tld
I will see that www.domain.tld answers, too.

(This could be any certificate from my nginx config, but: www.domain.tld is the first one that i entered in my virtual hosts configuration)

Chrome and any other modern browser won’t have a problem with the certificate.

I hope that someone might help me with this

What does your nginx configuration look like? A second certificate can only be obtained if the server references it somewhere. You might have better luck on the nginx forums.

Vhost files are looking like this:

server {
    listen 80;
    listen [::]:80;
    server_name  sub.domain.tld;
    return 301 https://sub.domain.tld$request_uri;
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name  sub.domain.tld;
    include snippets/ssl-sub.domain.tld.conf;
    include snippets/ssl-params.conf;
    access_log /var/log/nginx/smarthome.log;
    location / {
		proxy_buffering								off;
		proxy_set_header Host $host;
		proxy_set_header	X-Real-IP				$remote_addr;
		proxy_set_header	X-Forwarded-For			$proxy_add_x_forwarded_for;
		proxy_set_header	X-Forwarded-Proto		$scheme;
		satisfy any;
		deny  all;
		auth_basic									"Username and Password Required";
		auth_basic_user_file						/pwd/smarthome/.htpasswd;
	#### When using Let's Encrypt Only ####
	location /.well-known/acme-challenge/ {
		root										/var/www/nginx/sub.domain.tld;

Cert is stored in /etc/nginx/snippets
ssl-params too:

# from
# and
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam_2048.pem;
#ssl_dhparam /etc/ssl/certs/dhparam_4096.pem;
ssl_ecdh_curve secp384r1;

i also tried this tutorial, because it has a few hints regarding sni /multiple vhosts.

www.domain.tld is fine, because this is the second certificate that is sent out to every request.
but any other subdomain is not.
this affects any host configured with ssl, also foreign tlds, for example my webmailer.

In the meantime i completly reinstalled nginx and recreated the vhost and main config.

Just a newbie question
Hi guys, I am using this tut

I registered a free domain ( for example)on and forwarded this domain to my internal IP : 192.168.x.x (this is the IP of my openhab server) .

Now everything works fine with local network, I can access my openhab webpage via on my web browser inside my house’s wifi, but I can’t do that outside the house.

Any suggestion? Please help!

You have to do a port forwarding from internal 192.168..:8080 to 80 for instance.
Easier is to use the same number for in and external use.
It is not possible to assign a private IP to a public domain.
Such ip segments were: (used in your scenario)

Oh thanks for your reply…
So you mean I have to forward my router from (my openhab server) port 8080 to 80?
I did it with my router. On freenom website, I changed my domain to point to my router’s external IP, now I can access my OH by typing on the web browser outside the home network but it doesn’t require any user name and password to login , it’s just like access my OH from localhost:8080. Is there any problem?

p.s: In the tutorial I created an user name and password and it was success using the local network, everything worked as I expected.

Sorry, but i am not familiar with "freenom"
If you want to have encryption, nginx is often a good choice.
But of course, you could define a password within the *.cfg files.

if you use openhab1, you could proceed with this guide and internal authentication:

If it’s letting you connect from anywhere, it may have saved your credentials. If you’re having more problems it’d be helpful to see your nginx configuration.