Fix SSL SAN Mismatch Load Balancer Serving Wrong Certificate

Introduction

A valid certificate still produces hostname mismatch errors if the load balancer presents the wrong one. This commonly happens after adding another site to the same listener, rotating certificates without updating the listener attachment, or relying on SNI while the wrong default certificate remains first in the selection order.

Symptoms

Browsers report a certificate mismatch even though the target certificate exists in the account
One host name works while another on the same listener shows the wrong certificate
The issue started after attaching an additional domain or rotating certificates
Direct origin access may present the correct certificate while the load balancer does not

Common Causes

The listener is attached to the wrong certificate
SNI certificate selection does not include the requested host name
The new certificate does not actually contain the required SAN entry
The wrong default certificate is served to clients that do not negotiate as expected

Step-by-Step Fix

1.Inspect the certificate actually presented by the public endpoint
2.Test the live listener instead of assuming the dashboard attachment is correct.

bash

openssl s_client -connect example.com:443 -servername example.com | openssl x509 -noout -subject -issuer -ext subjectAltName

1.Check which certificate is attached to the load balancer listener
2.Compare the listener attachment with the certificate ARN you intended to serve.

bash

aws elbv2 describe-listeners --load-balancer-arn <alb-arn>
aws elbv2 describe-listener-certificates --listener-arn <listener-arn>

1.Attach the correct certificate and keep SNI ordering clean
2.Make sure the requested host name is covered by the certificate attached to the listener.

bash

aws elbv2 add-listener-certificates --listener-arn <listener-arn> --certificates CertificateArn=<correct-cert-arn>

1.Retest the exact host name after the listener update
2.Re-run the live handshake check and confirm the SAN list now includes the requested name.

bash

openssl s_client -connect example.com:443 -servername example.com | openssl x509 -noout -ext subjectAltName

Prevention

Verify listener certificate attachments after every certificate rotation
Use SAN coverage reviews when consolidating many domains on one listener
Test each public host name with SNI-aware tools after load balancer changes
Document which listener certificate is default and which are SNI attachments

SSL SAN Mismatch Because the Load Balancer Is Serving the Wrong Certificate

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Prevention

People also search for

SSL SAN Mismatch Because the Load Balancer Is Serving the Wrong Certificate

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Prevention

People also search for

Share this guide

More SSL Troubleshooting Guides

Fix SSL Certificate Authority Cert Policy Extension CPS Pointer Missing

Fix TLS Key Share Extension Missing ECDHE Parameters for Handshake

Fix Certificate Subject Info Access SIA CA Issuers URL Incomplete Chain

Fix SSL Certificate Freshest CRL Extension Delta CRL Distribution Point Missing

Fix Certificate Authority Subject Key Identifier Method Mismatch

Fix TLS Compressed Certificate Extension Causing Decode Failures on Mobile