Which matters more: Common Name or SAN?

Modern browsers primarily validate the SAN list. If the active hostname is not in SAN, the certificate is considered mismatched.

Does a wildcard certificate cover everything?

No. A wildcard such as `*.example.com` usually covers only one subdomain level and does not automatically include the apex domain or deeper nested names.

Why do I still get a mismatch when DNS looks correct?

The domain may still terminate at a different proxy, CDN edge, or default virtual host that serves the wrong certificate.

NET::ERR_CERT_COMMON_NAME_INVALID Fix

How to fix certificate hostname mismatch warnings by checking SAN coverage, DNS targets, and the actual endpoint serving the certificate.

Diagnose your site now

Problem

Browsers show NET::ERR_CERT_COMMON_NAME_INVALID, indicating the certificate does not match the current hostname.

Symptoms

Users hit a certificate warning page instead of the site.
SSL checks report SAN mismatch or hostname mismatch.
Only some hostnames fail, such as www or a specific subdomain.

Top 3 Causes

The hostname is missing from SAN - The certificate does not cover the actual domain being used.
DNS or proxy routing points to the wrong endpoint - The request reaches a server that serves a different certificate.
Wildcard coverage was misunderstood - The wildcard does not cover the hostname pattern you assumed.

Diagnose with DechoNet

SSL Check to inspect the SAN list and confirm the hostname mismatch.
DNS Lookup to verify the domain resolves to the intended IP or proxy target.
HTTP Check to confirm the final hostname and redirect flow.

Resolution Checklist

Confirm the active hostname appears in the SAN list returned by SSL Check.
Validate www, apex, and subdomain hostnames separately.
Verify DNS points to the intended service endpoint.
If using a CDN or reverse proxy, ensure the correct certificate is bound at the edge.
Re-run SSL Check using the exact hostname that was failing.

When to Escalate

Escalate internally if your certificate issuance pipeline is generating the wrong hostname set.
Escalate to the CDN or hosting provider if you cannot control which certificate is attached to the active endpoint.