TLS-1002 security tls_error ai_generated true

TLS certificate hostname mismatch: the certificate's CN or SAN does not match the requested hostname

ID: security/tls-certificate-hostname-mismatch

Also available as: JSON · Markdown · 中文
90%Fix Rate
87%Confidence
1Evidence
2023-04-12First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
OpenSSL 3.0 active
Java 17 active
Node.js 20 active
Nginx 1.24 active

Root Cause

The TLS certificate presented by the server has a Common Name (CN) or Subject Alternative Name (SAN) that does not match the hostname used in the client's request, causing the TLS handshake to fail.

generic

中文

服务器提供的TLS证书的通用名称(CN)或主题备用名称(SAN)与客户端请求中使用的主机名不匹配,导致TLS握手失败。

Official Documentation

https://www.rfc-editor.org/rfc/rfc6125

Workarounds

  1. 95% success Reissue the certificate with the correct hostname in the SAN field. For Let's Encrypt: `certbot certonly --standalone -d example.com -d www.example.com` and ensure all alternative names are included. 
    Reissue the certificate with the correct hostname in the SAN field. For Let's Encrypt: `certbot certonly --standalone -d example.com -d www.example.com` and ensure all alternative names are included.
  2. 85% success If using a reverse proxy, configure SNI (Server Name Indication) to serve the correct certificate based on the hostname. For Nginx: `server_name example.com; ssl_certificate /path/to/cert.pem;` 
    If using a reverse proxy, configure SNI (Server Name Indication) to serve the correct certificate based on the hostname. For Nginx: `server_name example.com; ssl_certificate /path/to/cert.pem;`

中文步骤

  1. Reissue the certificate with the correct hostname in the SAN field. For Let's Encrypt: `certbot certonly --standalone -d example.com -d www.example.com` and ensure all alternative names are included.
  2. If using a reverse proxy, configure SNI (Server Name Indication) to serve the correct certificate based on the hostname. For Nginx: `server_name example.com; ssl_certificate /path/to/cert.pem;`

Dead Ends

Common approaches that don't work:

  1. 70% fail

    Disabling hostname verification entirely (e.g., setting `NODE_TLS_REJECT_UNAUTHORIZED=0`) bypasses the error but exposes the connection to man-in-the-middle attacks.

  2. 40% fail

    Adding the hostname to the /etc/hosts file to point to a different IP doesn't fix the certificate mismatch; the server still presents the wrong cert for that hostname.

  3. 30% fail

    Some try to use a self-signed certificate with the correct hostname but forget to add the CA to the trust store, causing a different error (unable to verify certificate).