Introduction

An SNI misconfiguration causes the server to present the wrong certificate for the hostname the visitor requested. That can produce certificate name mismatch warnings, inconsistent behavior across subdomains, or failures that appear only behind certain load balancers and proxies. The fix is to trace where TLS terminates and make sure every listener chooses the right certificate for each host.

Symptoms

  • Browsers show the wrong certificate or a name mismatch for one hostname
  • The main domain works, but certain subdomains fail over HTTPS
  • SSL tests report a different certificate than the one you expected to deploy
  • The issue started after adding a new domain, proxy, load balancer, or shared listener
  • Different edge locations or backend nodes present different certificates

Common Causes

  • Multiple hostnames share one TLS listener without correct SNI-based certificate mapping
  • A reverse proxy or load balancer terminates TLS with the default certificate instead of the hostname-specific one
  • One backend node still has an old certificate binding or stale virtual host configuration
  • CDN, origin, and local server certificate assignments are out of sync
  • A wildcard or SAN certificate does not actually cover the hostname being served

Step-by-Step Fix

  1. Confirm which hostname returns the wrong certificate and from which layer the certificate is actually being served.
  2. Test the domain from outside the browser so you can inspect the certificate chain and hostname presented during the TLS handshake.
  3. Review listener, virtual host, or ingress configuration to verify the hostname is mapped to the intended certificate.
  4. Check whether a proxy, CDN, or load balancer terminates TLS before the origin and may be serving a different certificate than the backend.
  5. Compare all active nodes or instances to ensure they use the same certificate files and hostname bindings.
  6. Verify the deployed certificate actually covers the requested hostname through SAN or wildcard scope.
  7. Reload or redeploy the TLS layer after correcting bindings so the old default certificate is no longer served.
  8. Retest each affected hostname individually, not just the apex domain, to confirm SNI selection now works across the full set.
  9. Keep certificate inventory tied to listener and hostname ownership so later domain additions do not quietly inherit the wrong default cert.