on my server i have multiple virtual hosts with apache2. Some with domain *.example-one.org and some whith *.example-two.org. Each domain has it's own wildcard certificate.
When I fetch the certificate via openssl s_client the output is something like that:
$ openssl s_client -connect sub.example-one.org:443
CONNECTED(00000003)
[...] CN = *.example-two.org, emailAddress [...]
verify error:num=18:self signed certificate
verify return:1
[...] CN = *.example-two.org, emailAddress [...]
verify return:1
---
[...]
Verify return code: 18 (self signed certificate)
---
And with gnutls-cli
$ gnutls-cli -p 443 sub.example-one.org
Processed 164 CA certificate(s).
Resolving 'sub.example-one.org'...
Connecting to '14x.xxx.xxx.xxx:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `[...]CN=*.example-one.org[...]', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-07-11 12:30:31 UTC', expires `2015-07-11 12:30:31 UTC', SHA-1 fingerprint `94ddfd0d74e0352521af511c1d08c71e5314fae4'
[...]
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
(I've shorted the output by "[...]")
Firefox fetches (as gnutls) the correct certificate...
Why are there differences?
