I accidentally printed and distributed a flyer that has a QR Code with a trailing dot in the domain (so it's "https://example.org." instead of "https://example.org"). I didn't notice the error because I tried scanning it with my phone and it worked.
People reported me that the QR does not open with Safari.
Doing some trial and error, I discovered that some websites like Google won't work on Safari if I put a trailing dot ("https://www.google.com."), while others like Wikipedia work correctly ("https://www.wikipedia.org.").
I knew that a trailing dot is a representation for a FQDN and should be working fine, so why won't Safari open some websites with a trailing dot?
After looking into the HTTPS handshake it turns out that, for some obscure reason, Safari isn't sending the
server_nameattribute in the Client Hello if you put a trailing dot at the end of the domain. So it's acting as if it didn't support SNI.Websites that work are the ones that present the right certificate as the default choice, but nowadays the vast majority of websites are hosted on servers with multiple websites on them, and the right certificate to present to the client is chosen using SNI.
The only way to make it working seems to be buying a hosting or a VPS with a dedicated IP and ensure that the server responds with the certificate for your domain by default (with Apache, it would mean to configure a single virtual host).