How does Apache choose which certificate to use?
Currently Apache is hosting several sub domains with host certificates generated with certbot and a http challenge.
Now I want to setup a default virtual ssl host to redirect non-existing subdomains to the main one. For this purpose I will generate a wildcard certificate with DNS challenge.
Since I am not currently able to automate renewal with DNS challenge, I want to use the wildcard certificate only for the default ssl host in Apache.
My question is: When the first negotiation between Apache and the browser takes place, will Apache then first look for at certificate in the configuration matching the requested host, or will Apache serve the wildcard certificate configured in the default ssl host every time?
The Apache documentation contains a detailed section about which VirtualHost is chosen for a request. A quote from the section "How the server selects the proper name-based virtual host":
It is important to recognize that the first step in name-based virtual host resolution is IP-based resolution. Name-based virtual host resolution only chooses the most appropriate name-based virtual host after narrowing down the candidates to the best IP-based match. Using a wildcard (*) for the IP address in all of the VirtualHost directives makes this IP-based mapping irrelevant.
When a request arrives, the server will find the best (most specific) matching <VirtualHost> argument based on the IP address and port used by the request. If there is more than one virtual host containing this best-match address and port combination, Apache will further compare the ServerName and ServerAlias directives to the server name present in the request.
If you omit the ServerName directive from any name-based virtual host, the server will default to a fully qualified domain name (FQDN) derived from the system hostname. This implicitly set server name can lead to counter-intuitive virtual host matching and is discouraged.
You should create a dedicated Default VirtualHost. Every request to a host not listed explicitly in another VirtualHost block will be directed there, so you can choose which certificate you want to use there.
Apache lets you specify the SSLCertificateFile directive at the virtual host level. See SSLCertificateFile, which says "Context: server config, virtual host". So whichever virtual host it uses to answer the request - whether the default virtual host, or another one - it will use the certificate you configure with SSLCertificateFile in that virtual host.
I hope that answers your question?