Introduction

A server can have a perfectly valid certificate and still present the wrong one if it is attached to the wrong virtual host or default TLS listener. This usually shows up on multi-site servers where hostnames share an IP address and rely on SNI to select the right certificate. The fix is to trace how the server maps the requested hostname to a virtual host and which certificate that vhost actually serves.

Symptoms

  • Browsers show a certificate for a different domain than the hostname being visited
  • One site on the server has the correct certificate while another presents the wrong one
  • SSL renewal completed, but only some hostnames changed to the new certificate
  • The problem appears only on multi-site or shared-IP environments
  • A default site or fallback listener seems to answer first during TLS negotiation

Common Causes

  • The certificate file was configured on the wrong virtual host block
  • SNI mappings do not include the intended hostname or alias
  • A default TLS listener catches the request before the correct host-specific listener
  • One hostname points to a different vhost definition than expected
  • Control panel or templating changes rewrote certificate paths onto the wrong site config

Step-by-Step Fix

  1. Identify the exact hostname serving the wrong certificate and capture the live certificate details it presents.
  2. Review the server's virtual host or listener configuration and map which block should handle that hostname.
  3. Confirm the certificate and key paths attached to that specific virtual host rather than only checking the default SSL config.
  4. Verify SNI coverage for the hostname, including aliases such as www and any additional server names.
  5. Check whether a default listener is catching the request first because of config order, missing hostnames, or incomplete bindings.
  6. Move the certificate reference to the correct virtual host and validate the server configuration before reload.
  7. Reload the web server and retest the hostname with an SNI-aware SSL client.
  8. If the site runs on multiple nodes, confirm the same virtual host mapping and certificate attachment exist everywhere.
  9. Keep hostname-to-vhost ownership clear so certificate rotation on one site does not overwrite another site's listener.