Introduction When the load balancer's SSL certificate does not match the requested domain or has chain issues, all HTTPS traffic fails. This affects all services behind the load balancer.

Symptoms - Browser shows "Certificate name mismatch" error - SSL handshake fails for specific subdomains - Error: "SSL_ERROR_BAD_CERT_DOMAIN" - Mobile app SSL pinning failing - Certificate works on one listener but not another

Common Causes - Certificate CN/SAN does not cover the requested domain - Wildcard certificate not matching sub-subdomains (*.example.com vs *.sub.example.com) - Certificate expired and not rotated - Certificate chain incomplete on load balancer - TLS policy too restrictive (minimum TLS version)

Step-by-Step Fix 1. **Check certificate details': ```bash echo | openssl s_client -connect lb.example.com:443 -servername lb.example.com 2>/dev/null \ | openssl x509 -noout -subject -issuer -dates -ext subjectAltName ```

  1. 1.**Update load balancer certificate':
  2. 2.```bash
  3. 3.# AWS ALB
  4. 4.aws acm list-certificates --certificate-statuses ISSUED
  5. 5.aws elbv2 set-listener-certificates --listener-arn <arn> \
  6. 6.--certificates CertificateArn=<new-cert-arn>
  7. 7.`
  8. 8.**Verify TLS policy settings':
  9. 9.```bash
  10. 10.# Check minimum TLS version
  11. 11.aws elbv2 describe-listeners --listener-arns <arn> \
  12. 12.--query 'Listeners[0].SslPolicy'
  13. 13.`

Prevention - Use ACM/Let's Encrypt with auto-renewal - Monitor certificate expiration with alerts - Use wildcard or multi-domain certificates appropriately - Test certificate coverage before deployment - Use TLS policies compatible with client requirements