SSL: hostname mismatch (the certificate does not match the server name)

The error “SSL: hostname mismatch (the certificate does not match the server name)” means the hostname you used to connect does not match any name listed in the server’s SSL certificate.

What It Means

When a TLS client connects to a server, it checks the server’s certificate Common Name (CN) and Subject Alternative Names (SANs) against the hostname in the URL. If none of the names match, the TLS handshake fails with a hostname mismatch error. This prevents man-in-the-middle attacks where a valid certificate from a different domain is presented.

Why It Happens

• The certificate was issued for example.com but you connected to www.example.com.
• The certificate was issued for *.example.com but you connected to example.com (bare domain without wildcard).
• You connected via IP address but the certificate has no IP SAN entry.
• The server is behind a load balancer and uses a default certificate that does not match the requested domain.
• The certificate was renewed with a new set of SANs but the old certificate is still in use.

How to Fix It

1. Check the certificate’s SANs and CN

openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"

2. Connect with the correct hostname

curl https://www.example.com

3. Reissue the certificate with the correct SANs

sudo certbot certonly --standalone -d example.com -d www.example.com

4. For development, disable hostname verification

curl -k https://192.168.1.10

5. Use the correct server_name in Nginx

server_name example.com www.example.com;

FAQ