AWS ELB serves wrong SSL certificate after adding second custom domain
Problem
An AWS Application Load Balancer (or Elastic Beanstalk-managed ALB) is configured with one SSL certificate. After adding a second custom domain to the same application, HTTPS connections from the second domain get the wrong certificate (the first domain's cert), causing SSL mismatch errors in browsers. The issue is that the ELB HTTPS listener must have a certificate explicitly added for every domain it serves — it does not auto-detect from DNS.
Error Output
SSL_ERROR_BAD_CERT_DOMAIN The certificate is only valid for domain1.com but the server returned domain2.com
Unverified for your environment
Select your OS to check compatibility.
1 Fix
Add the second domain certificate to the ELB HTTPS listener
AWS ELB HTTPS listeners do not automatically pick up certificates based on DNS. Each domain served through the listener must have its certificate explicitly added.
Trust Score
7 verifications
- 1
Get the ACM certificate ARN for the second domain
In AWS Certificate Manager, find or request a certificate for your second domain and note its ARN.
- 2
Add the cert to the ELB listener via AWS CLI
Add the certificate to the listener:
bashaws elbv2 add-listener-certificates \ --listener-arn arn:aws:elasticloadbalancing:REGION:ACCOUNT:listener/... \ --certificates CertificateArn=arn:aws:acm:REGION:ACCOUNT:certificate/... - 3
Verify both domains from outside
Test SSL from a machine not behind your local network:
bashcurl -v https://domain1.com/ 2>&1 | grep "subject:" curl -v https://domain2.com/ 2>&1 | grep "subject:"
Validation
Both `curl -v` commands show matching certificate subjects for their respective domains. No SSL_ERROR_BAD_CERT_DOMAIN in any browser.
Verification Summary
Sign in to verify this fix
Environment
- Product
- AWS ELB / Elastic Beanstalk
- Environment
- production
Submitted by
Alex Chen
2450 rep