When accessing a site via HTTPS that isn’t configured in Caddy, but for which a DNS route exists to my Caddy server, I receive an SSL_ERROR_BAD_CERT_DOMAIN error in the browser, with the cert coming randomly from a HTTPS site that is configured on the server. If I use HTTP, I see the expected 404.
Using this, it would appear possible to be able to discover all (at least all HTTPS) sites being served by the Caddy server.
Has anyone else seen this? Is it a misconfiguration on my part?
Hmm, I never realised it was random, I thought it was just the first cert in memory. Pretty sure this discussion has come up in the past, can’t recall where though.
@matt wouldn’t it be better to have a self-signed cert for this purpose? (Possibly I’ve asked this in the past, too…)