How to Fix a Hostname Mismatch Error

A hostname mismatch error is one of the most common SSL problems developers encounter. The browser is telling you that the domain you requested isn't covered by the certificate the server presented. Here's how to diagnose it.

What Causes It?

• Wrong domain — the certificate was issued for example.com but you're visiting www.example.com (or vice versa).
• Missing SAN entry — the certificate doesn't include the specific subdomain you need in its Subject Alternative Names.
• Wrong certificate installed — the server is presenting a certificate for a different domain entirely.
• Virtual host misconfiguration — the web server is serving the wrong certificate for a particular hostname.

Step 1: Decode the Certificate

Before anything else, decode the certificate the server is actually presenting. Use the SSL Certificate Decoder — paste the PEM text and look at the Subject Alternative Names section. Compare each entry against the domain you're trying to reach.

Remember: browsers match against SANs, not the Common Name. Even if the CN looks right, it's the SAN list that matters.

Step 2: Check www vs. Bare Domain

A certificate for example.com doesn't cover www.example.com unless www.example.com is explicitly listed in the SANs. Confirm both variants appear, or use a wildcard certificate (*.example.com) to cover all subdomains.

Step 3: Reissue with the Correct SANs

If the SAN list is missing the hostname you need, you must reissue the certificate with the correct domains listed. If you're using Let's Encrypt, re-run Certbot with all required domains included in the -d flags. If you're using a commercial CA like DigiCert or Sectigo, resubmit your CSR with the updated SAN list.

Step 4: Verify After Installation

After installing the new certificate, decode it again to confirm every domain appears in the SAN list. Also check that the certificate chain is complete — a missing intermediate will cause an intermediate certificate error in some browsers even if the SAN matches.