Different SSL certs being delivered to different platforms

certificate apache

This is due to Apple being one of the (earliest?) vendors enforcing full compliance with RFC 1035 which only allows letters, digits, and hyphens for domain names. The CA/Browser Forum has sunset underscores since 2019, but the CAs can't prevent you from using underscore in wildcard cert, and it seems that browser makers still allow the domain to be validated, except Apple.

Since iOS 14 and probably Big Sur, Safari won't send SNI for domains with an underscore, which is why you get the default cert. Unfortunately, while in Big Sur other browsers seems to use their own TLS library, it appears in iOS all browsers are required to use the built-in library.

If you only have a single domain with an underscore in its name, a probable (I'm not sure if the iOS will actually validate the cert, it works on desktop Safari) workaround will be using the cert for that domain as your default cert. Otherwise, you're forced to change all of those domains using underscores.

Related

mac won't start after "sudo chown -R $(whoami) $(brew --prefix)/*" command
Showing the current boot arguments in OS X
Beamer keeps asking PIN code connecting to Apple TV
"Invalid Email address" error when attempting to change account password on iPhond and iPad
Make iPad Pro Screen Bigger with External Monitor?
Troubleshooting DNS
MacOS missing after using EaseUS partition on Bootcamp [duplicate]
Caffeinate : prevent screensaver (Catalina)
Shortcut to login to website using JavaScript
What is this icon with a square and a waveform in Apple Watch Control Center?
How to disable "Restored Session" message from appearing every time I run Terminal?
Question on automorphisms of shift dynamical systems and their inverses