first, I had a mysterious observation. Now I found the reason. But it's again mysterious.
I am using Http Public Key Pinning with *.server-daten.de. The root certificate is pinned. No problem.
Now I transformed a second domain, sql-und-xml.de to the same IP-Address. Own www-service, own, new certificate.
Added HPKP with the Root Certificate, used the Pin SHA256 - Information found with https://www.ssllabs.com/ssltest/ .
This is the "GlobalSign Root CA" / Pin SHA256: K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= .
Tested with a FireFox - browser there, all worked. No warning.
Tested with a FireFox - browser local: Red warnings:
> Public-Key-Pins: Die Website gab eine Kopfzeile an, die keinen übereinstimmenden Pin-Eintrag enthielt.[Weitere Informationen]
The same, actual browser, used on two different places: One is ok, the other is broken.
First idea: A conflict with the other domain at the same ip. A misconfiguration. Possible? Who knows?
Second idea: A FireFox-Bug?
Third idea: My local computer has a problem, a man in the middle? But the second and the third certificate are the same.
Then I pinned the second certificate. AlphaSSL CA - SHA256 - G2. No problem. No warnings.
On the local machine, the Root Certificate is "GlobalSign Root CA - R3" (Windows 10).
On the other machine, the Root Certificate is "GlobalSign Root CA" (Windows 2012 Server).
So the same second certificate has different root certificates. And pinning the root certificate produced the problem with a browser, that knows only the other root certificate.
Is it possible (Ssl-Check) to show these two different root certificates?