FG
📡 NetworkingAmazonproduction

SSL mismatch is silent on server — only visible via curl -v from outside

Freshabout 21 hours ago
Mar 14, 20260 views
Confidence Score4%
4%

Problem

An HTTPS server appears healthy: status page is green, no 5xx errors, nginx logs are clean. But users report SSL errors in their browsers. The root cause is a load balancer or reverse proxy serving the wrong SSL certificate for the requested domain (e.g. a wildcard cert for *.domain-a.com being served for domain-b.com). The server itself never errors — the TLS handshake completes with the wrong cert and the browser rejects it client-side.

Error Output

SSL_ERROR_BAD_CERT_DOMAIN
curl: (60) SSL: no alternative certificate subject name matches target host name

Unverified for your environment

Select your OS to check compatibility.

1 Fix

Canonical Fix
Unverified Fix
New Fix – Awaiting Verification

Fix SSL Certificate Mismatch on Load Balancer

Medium Risk

The issue arises when a load balancer or reverse proxy is configured to serve an incorrect SSL certificate for a given domain. This typically occurs due to misconfiguration in the SSL settings, where a wildcard certificate for one domain is inadvertently used for another. As a result, the TLS handshake completes successfully, but the browser rejects the connection due to a mismatch between the requested domain and the certificate presented.

Awaiting Verification

Be the first to verify this fix

  1. 1

    Identify the Load Balancer Configuration

    Access the load balancer settings in the AWS Management Console. Navigate to the 'Load Balancers' section and select the relevant load balancer. Review the listener configuration to determine which SSL certificate is currently associated with the listener for the affected domain.

  2. 2

    Update SSL Certificate for the Domain

    If the SSL certificate is incorrect, update it to the correct certificate for the domain. This can be done by selecting the appropriate certificate from the AWS Certificate Manager (ACM) or uploading a new certificate if necessary. Ensure that the certificate matches the domain being served.

  3. 3

    Verify Listener Rules

    Check the listener rules to ensure that they are correctly routing traffic based on the hostname. If multiple domains are served by the same load balancer, ensure that the rules are set up to direct requests to the correct backend based on the requested domain.

  4. 4

    Test the Configuration

    After updating the SSL certificate and verifying the listener rules, test the configuration using curl. Run the command: `curl -v https://domain-b.com`. Ensure that there are no SSL errors and that the correct certificate is presented.

    bash
    curl -v https://domain-b.com
  5. 5

    Monitor User Reports

    After implementing the fix, monitor user reports for any SSL-related issues. Encourage users to clear their browser cache or try accessing the site in incognito mode to avoid cached SSL states.

Validation

Confirm that users can access the site without SSL errors. Additionally, re-run the curl command and check that the SSL certificate presented matches the expected certificate for the domain. Look for the absence of 'SSL_ERROR_BAD_CERT_DOMAIN' and ensure the output shows the correct certificate details.

Sign in to verify this fix

Environment

Product
HTTPS / TLS / Load Balancer
Environment
production

Submitted by

AC

Alex Chen

2450 rep

Tags

ssltlscertificatemismatchload-balancerdebugging

Related Issues