DomainSecurityScanner
Critical SeveritySSL/TLS

Fix: SSL Certificate Domain Mismatch

The SSL certificate installed on your server does not match the domain name being accessed. The certificate's Subject Alternative Names (SANs) or Common Name (CN) do not include the requested domain.

Quick Fix

Get a certificate that covers your exact domain name (including www if needed).

What This Error Means

The certificate presented by your server was issued for a different domain than the one being requested. For example, the certificate covers "example.com" but not "www.example.com".

Why It Matters

Browsers display a security warning for certificate mismatches, preventing most visitors from accessing your site. Search engines and security scanners flag it as a serious issue.

Step-by-Step Fix

1

Check which domains the certificate covers

Inspect the certificate to see its Common Name and Subject Alternative Names.

Example
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"
2

Determine which domains you need

List all domain names that should be covered: the root domain, www subdomain, and any other subdomains served from the same server.

3

Get a new certificate with correct SANs

Request a certificate that covers all needed domains.

Example
# Let's Encrypt with multiple domains:
sudo certbot certonly --nginx \
  -d yourdomain.com \
  -d www.yourdomain.com \
  -d app.yourdomain.com
4

Install and verify

Install the new certificate and verify domain matching.

Example
sudo nginx -t && sudo systemctl reload nginx

# Verify:
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text | grep "DNS:"

Common Gotchas

  • A certificate for "example.com" does not automatically cover "www.example.com". You need both.
  • Wildcard certificates (*.example.com) cover subdomains but not the root domain itself. You need both *.example.com and example.com.
  • If using a CDN or load balancer, the mismatch may be at the CDN level, not your origin server.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

What is a Subject Alternative Name (SAN)?

A SAN is a field in an SSL certificate listing all domain names the certificate is valid for. A single certificate can cover multiple domains via SANs.

Should I use a wildcard or multi-domain certificate?

Wildcard certificates (*.example.com) are convenient for many subdomains but do not cover the root domain. For most sites, a certificate with both example.com and www.example.com is sufficient.

Why does the mismatch only happen on some devices?

Different devices may access your site via different domain names (e.g., www vs non-www). If your certificate does not cover both variations, some users will see the error.

Related Issues

Certificate ExpiredWeak Cipher SuitesNo HSTSAll Fix Guides →