Fixing Domain Mismatch Errors in SSL Certificates
Learn why SSL certificate domain mismatch errors happen, how to check covered hostnames, and how to fix certificates for root, www and subdomains.
Introduction
A domain mismatch error happens when the SSL/TLS certificate shown by the server does not cover the exact hostname visitors are using. For example, the certificate may cover example.com but not www.example.com, or it may cover one subdomain while visitors open another.
This problem is common after hosting migrations, CDN changes, domain redirects, wildcard certificate mistakes or incorrect virtual host configuration. The fix is to identify the hostname visitors use, check the certificate SAN list, and install a certificate that covers the active domain.
Quick answer
A certificate mismatch means the certificate does not include the hostname being visited. Check the exact URL, review the certificate SAN names, confirm root/www/subdomain coverage, and install or reissue a certificate that covers the active hostname.
SSL domain mismatch
An SSL domain mismatch means the browser connected to one hostname, but the server presented a certificate issued for a different hostname.
Visitor opens:
https://www.example.com
Certificate only covers:
example.com
Result:
Browser may show a certificate warning.
The certificate must match the exact hostname in the browser address bar, unless the hostname is covered by a valid wildcard or SAN entry.
Hostname matching
SSL certificates are checked against the hostname visitors use.
- example.com
- www.example.com
- app.example.com
- mail.example.com
- dev.app.example.com
These are not automatically the same for SSL coverage.
A redirect can help choose one preferred hostname, but the certificate still needs to be valid for the hostname before or during the HTTPS connection.
SAN names
Modern certificates list covered hostnames in the Subject Alternative Name, or SAN, field.
example.com
www.example.com
app.example.com
This certificate covers those exact names. It does not cover shop.example.com, api.example.com or dev.app.example.com unless those names are also listed.
When troubleshooting mismatch errors, always check the SAN list.
Root vs www
The root domain and www hostname are different names.
Root
example.com
WWW
www.example.com
A certificate for only example.com may not cover www.example.com. A certificate for only www.example.com may not cover example.com.
- Include both example.com and www.example.com, or
- Redirect consistently to the hostname covered by the certificate
For most public websites, include both root and www to avoid avoidable warnings.
Wildcard mismatch
Wildcard certificates cover only one subdomain level.
*.example.com
Covers:
- app.example.com
- shop.example.com
- blog.example.com
Usually does not cover:
- example.com
- dev.app.example.com
- example.net
If you need deeper subdomains, add specific SAN names or use another certificate strategy.
Why this matters
Domain mismatch errors matter because browsers treat them as serious security warnings. Visitors may think the site is fake, compromised or unsafe. APIs, webhooks, payment systems and integrations may also reject connections when the certificate does not match the hostname.
Mismatch errors usually mean the wrong certificate is installed, the wrong hostname is being used, or the active server or CDN is not serving the expected certificate.
How to check mismatch
Use SSL Checker to inspect the certificate shown for the exact hostname visitors use.
When checking mismatch errors, review
These six checks help identify hostname coverage gaps.
Exact URL
Check the full hostname in the browser address bar.
Certificate SAN list
Confirm whether the hostname appears in the certificate.
Root and www
Check both example.com and www.example.com.
Subdomains
Check each subdomain that should load over HTTPS.
Active server or CDN
Confirm which endpoint is serving the certificate.
Redirect behavior
Check whether redirects send users to a hostname not covered by the certificate.
Check hostname coverage
Use SSL Checker to verify whether the certificate covers the exact domain or subdomain.
Common problems
Certificate covers root but not www
HighVisitors open www.example.com, but the certificate only includes example.com.
Next step: Reissue the certificate with both example.com and www.example.com, or redirect consistently.
Certificate covers www but not root
HighVisitors open example.com, but the certificate only includes www.example.com.
Next step: Add the root domain to the certificate or redirect root to www with valid coverage.
Wrong certificate installed
HighThe server presents a certificate for another domain or old hosting account.
Next step: Install the correct certificate on the active server, CDN or proxy.
Subdomain not included
HighThe certificate does not include the requested subdomain.
Next step: Add the subdomain to the SAN list or use a suitable wildcard certificate.
Wildcard does not cover deeper subdomain
Medium*.example.com does not normally cover dev.app.example.com.
Next step: Issue a certificate that includes the deeper hostname explicitly.
CDN serves different certificate
HighThe origin server may be correct, but the CDN edge presents another certificate.
Next step: Update the certificate in the CDN or proxy settings.
Redirect points to uncovered hostname
MediumThe site redirects users to a hostname not included in the certificate.
Next step: Fix redirects or add the redirect target hostname to the certificate.
Old certificate cached or still active
MediumA new certificate was issued, but the public endpoint still serves the old one.
Next step: Reload the web server, update CDN/proxy SSL and clear relevant caches.
How to fix mismatch
-
Step 1: Identify the exact failing hostname
Check the hostname users open, such as example.com, www.example.com or app.example.com.
-
Step 2: Inspect the certificate SAN list
Use SSL Checker or browser certificate details to see which hostnames are covered.
-
Step 3: Decide the intended hostname strategy
Choose whether the site should use root, www, a subdomain or multiple names.
-
Step 4: Reissue the certificate
Include every hostname that should load over HTTPS.
-
Step 5: Install on the active endpoint
Update the certificate on hosting, CDN, reverse proxy, load balancer or control panel.
-
Step 6: Fix redirects
Make sure redirects send users only to hostnames covered by the certificate.
-
Step 7: Re-test externally
Check every public hostname after installation.
CDN and proxy mismatch
If a CDN or reverse proxy is used, visitors may not see the certificate installed on the origin server. They see the certificate served by the CDN or proxy edge.
- CDN SSL certificate
- Origin SSL certificate
- Proxy mode
- Custom hostname settings
- Edge certificate coverage
- Origin hostname coverage
- Redirect rules at CDN and origin
A mismatch can happen even when the origin server certificate is correct if the CDN edge certificate is wrong.
Migration checklist
After moving hosting or CDN, check
Verify every public hostname after migration.
Root domain
Root domain certificate is valid.
WWW
WWW certificate is valid.
Subdomains
Important subdomains are covered.
Wildcard
Wildcard coverage matches actual hostnames.
CDN edge
CDN edge certificate is correct.
Origin cert
Origin certificate is correct.
Redirect targets
Redirect targets are covered.
Old server
Old server is not still responding.
DNS endpoint
DNS points to the intended endpoint.
External HTTPS
HTTPS works from an external network.
Mismatch examples
Visitor opens:
https://www.example.com
Certificate covers:
example.com
Fix — issue certificate for:
example.com
www.example.com
Visitor opens:
https://dev.app.example.com
Certificate covers:
*.example.com
Fix — add:
dev.app.example.com
or use a separate certificate for that hostname.
openssl s_client -connect www.example.com:443 -servername www.example.com
curl -I https://www.example.com
These examples are illustrative. Replace hostnames with your real domain names.
Frequently asked questions
What causes an SSL domain mismatch?
The certificate does not include the exact hostname visitors are using.
Does example.com certificate cover www.example.com?
Only if www.example.com is included in the certificate SAN list.
Does a wildcard certificate cover the root domain?
Usually no. *.example.com covers first-level subdomains, not example.com.
Does a wildcard certificate cover dev.app.example.com?
Usually no. *.example.com covers app.example.com, but not deeper subdomains like dev.app.example.com.
Why does the mismatch happen only behind a CDN?
The CDN may be serving its own edge certificate, which can differ from the origin server certificate.
Can redirects fix a mismatch?
Only if the browser can establish a valid HTTPS connection first. The certificate still needs to cover the hostname being requested.
How do I confirm the fix worked?
Run SSL Checker and test every hostname externally, including root, www and important subdomains.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all SSL & HTTPS guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!