HTTPS to a site that doesn't exist

When accessing a site via HTTPS that isn’t configured in Caddy, but for which a DNS route exists to my Caddy server, I receive an SSL_ERROR_BAD_CERT_DOMAIN error in the browser, with the cert coming randomly from a HTTPS site that is configured on the server. If I use HTTP, I see the expected 404.

Using this, it would appear possible to be able to discover all (at least all HTTPS) sites being served by the Caddy server.

Has anyone else seen this? Is it a misconfiguration on my part?


Hmm, I never realised it was random, I thought it was just the first cert in memory. Pretty sure this discussion has come up in the past, can’t recall where though.

@matt wouldn’t it be better to have a self-signed cert for this purpose? (Possibly I’ve asked this in the past, too…)

This is actually a pretty complicated issue. (Made no less complex by the fact that browsers still request HTTP by default.)

It is basically the same as this discussion:

We took some action with it in PR 2015:

But then happened.

So we did this:

It’s all inter-related.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.