I'm running a website where the checkout flow is SSL certified using a Comodo EV certificate.
We also have Piwik web analytics tracking across the site, which is served off a stats
subdomain. To prevent mixed domain errors, the Piwik is accessible via HTTPS as well as HTTP - for HTTPS, our Piwik subdomain is certified using a (much cheaper) Comodo PositiveSSL certificate.
Here's the weird part - when an HTTPS page on the main site is accessed through wget and some versions of Internet Explorer, the stats.psychicbazaar.com
certificate seems to somehow get loaded by mistake, leading to "Mismatched Address" warnings in IE, and in wget:
ERROR: certificate common name `stats.psychicbazaar.com' doesn't match requested host name `www.psychicbazaar.com'.
This problem does not occur with curl, Chrome or Firefox. For example, with curl:
$ curl -Iv https://www.psychicbazaar.com/shop/checkout
* <snip>
* Connected to www.psychicbazaar.com (178.79.183.162) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: serialNumber=07440589; 1.3.6.1.4.1.311.60.2.1.3=GB; 1.3.6.1.4.1.311.60.2.1.
2=Greater London; businessCategory=Private Organization; C=GB; postalCode=EC24 4RQ; ST=Greater
London; L=London; street=The Roma Building 32-38; O=Psychic Bazaar Ltd; OU=COMODO EV
* start date: 2012-02-16 00:00:00 GMT
* expire date: 2013-02-15 23:59:59 GMT
* subjectAltName: www.psychicbazaar.com matched
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO Extended Validation Secure Server CA
* SSL certificate verify ok.
> HEAD /shop/checkout HTTP/1.1
> User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
> Host: www.psychicbazaar.com
> Accept: */*
>
< <snip>
What could be going on here - why would a browser be reading and erroring on a subdomain's SSL certificate when it's loading a page on the main domain? Any help much appreciated!