Issue
«get_cert_by_host(): Could not get SNI for request» errors are seen in `/var/log/imunify360-webshield/error.log`:
sslutils.lua:123: get_cert_by_host(): Could not get SNI for request (IP: 11.22.33.44), context: ssl_certificate_by_lua*
Environment
- Imunify360
- Webshield
Solution
Normally*, the reported errors can be safely disregarded.
*If a website is behind Sucuri WAF, "Force passing the hostname via TLS/SSL" must be enabled with Sucuri.
Cause
WebShield faces requests sent to IP address, not hostname.
The log entries related to get_cert_by_host(): Could not get SNI for request indicate that WebShield is receiving requests directed to the server’s IP address instead of a hostname. Since these requests lack an SNI (Server Name Indication), WebShield cannot determine the appropriate certificate to serve.
In such cases, it defaults to returning the first available virtual host certificate, similar to how standard HTTP servers (like Apache) handle non-SNI requests.
Useful links
DEF-9452
Comments
0 comments
Please sign in to leave a comment.