How to Fix SSL Hostname Mismatch Errors

Hostname mismatch means the certificate does not include the exact host requested by the client. Browsers and API clients reject this to prevent man-in-the-middle attacks.

Typical mismatch patterns

• Certificate includes `www.example.com` but request is `example.com`.
• Certificate issued for staging host but installed on production.
• Wildcard expected to cover apex (it does not cover the root domain).

Fix checklist

1. List all hostnames you serve (`example.com`, `www`, subdomains).
2. Issue/reissue certificate with correct SAN entries for each hostname.
3. Install certificate and full chain on the active edge/proxy node.
4. Validate HTTPS redirects so traffic lands on covered hostnames only.
5. Retest with Website Checker and browser.

Wildcard reminder

`*.example.com` covers subdomains like `api.example.com`, but not `example.com`. If you serve both, include both names in SANs.

If mismatch appears intermittently

• Check load balancer pools for nodes with old certificates.
• Check CDN edge deployment status in all regions.
• Verify automation did not renew one cert but deploy another.

If SSL is healthy but you still get downtime codes, continue with 5xx troubleshooting.