[BUG] untrusted certificate appears when testing on ssllabs.com

[CookieCr2nk]

What happened?

Hello,

I am using bunkerweb as a reverse proxy. When I test bunkerweb on ssllabs.com, I have the problem that a second untrusted certificate with the domain “example.com” appears next to the real certificate (Let's Encrypt or GTS). Can the untrusted certificate be removed?

How to reproduce?

1. use a certificate with the custom SSL feature of bunkerweb.
2. do a ssllabs.com test
3. see output from ssllabs.com

Configuration file(s) (yaml or .env)

-------------------------compose.yaml (The Rest is configured via Bunkerweb UI)
services:
  bunkerweb:
    image: bunkerity/bunkerweb:1.5.11
    ports:
      - 80:8080
      - 443:8443
    labels:
      - "bunkerweb.INSTANCE=yes"
    networks:
      - nginx-proxy
      - bunkerweb-services
      - bunkerweb-universe
    environment:
      - SERVER_NAME=auth.example.com nginx.example.com
      - MULTISITE=yes
      - SERVE_FILES=no
      - DISABLE_DEFAULT_SERVER=yes
      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
      - UI_HOST=http://bunkerweb-ui:7000
      - USE_CUSTOM_SSL=yes
      - CUSTOM_SSL_CERT=/ssl/fullchain.cer
      - CUSTOM_SSL_KEY=/ssl/example.com.key
      - USE_REVERSE_PROXY=yes
      # Proxy to auth_request URI
      - REVERSE_PROXY_URL_999=/authelia
      - REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
      - REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
      # Authelia
      - auth.example.com_REVERSE_PROXY_URL=/
      - auth.example.com_REVERSE_PROXY_HOST=http://authelia:9091
      - auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no

  bunkerweb-scheduler:
    image: bunkerity/bunkerweb-scheduler:1.5.11
    depends_on:
      - bunkerweb
      - bunkerweb-docker
    environment:
      - DATABASE_URI=mariadb+pymysql://bunkerweb:x@hostname:3306/bunkerweb
      - DOCKER_HOST=tcp://bunkerweb-docker:2375
    networks:
      - bunkerweb-universe
      - bunkerweb-docker
      - database-network
    volumes:
      - /opt/docker-data/bunkerweb-data:/data
      - /opt/docker-data/bunkerweb-ssl/example.com_ecc:/ssl

  bunkerweb-ui:
    image: bunkerity/bunkerweb-ui:1.5.11
    depends_on:
      - bunkerweb-docker
    environment:
      - DATABASE_URI=mariadb+pymysql://bunkerweb:x@hostname:3306/bunkerweb
      - DOCKER_HOST=tcp://bunkerweb-docker:2375
    networks:
      - bunkerweb-universe
      - bunkerweb-docker
      - database-network

  bunkerweb-docker:
    image: tecnativa/docker-socket-proxy:nightly
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - CONTAINERS=1
      - LOG_LEVEL=warning
    networks:
      - bunkerweb-docker

  authelia:
    image: authelia/authelia:latest
    restart: no
    networks:
      - bunkerweb-services
      - database-network
    volumes:
      - /opt/docker-data/nginx-authelia/config:/config
    environment:
      TZ: Europe/Paris

networks:
  nginx-proxy:
    external: true
  database-network:
    external: true
  bunkerweb-services:
    external: true
  bunkerweb-universe:
    name: bunkerweb-universe
    ipam:
      driver: default
      config:
        - subnet: 10.20.30.0/24
  bunkerweb-docker:
    name: bunkerweb-docker
-----------------------------------------

Relevant log output

No response

BunkerWeb version

1.5.11

What integration are you using?

Docker

Linux distribution (if applicable)

Ubuntu Server 24.04

Removed private data

• [X] I have removed all private data from the configuration file and the logs

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[TheophileDiot]

Hi @CookieCr2nk, thank you for opening this issue. What you are referring to is a default access from a browser without a valid SNI, do you have the same report using the DISABLE_DEFAULT_SERVER_STRICT_SNI set to yes?

[CookieCr2nk]

Hello TheophileDiot,

Yes, thank you. That seems to solve the problem.