{ "id": "security/tls-certificate-hostname-mismatch", "signature": "TLS certificate hostname mismatch: the certificate's CN or SAN does not match the requested hostname", "signature_zh": "TLS证书主机名不匹配:证书的CN或SAN与请求的主机名不匹配", "regex": "hostname.*mismatch|certificate.*CN.*not match|SSL.*hostname.*verify|hostname verification failed", "domain": "security", "category": "tls_error", "subcategory": null, "root_cause": "The TLS certificate presented by the server has a Common Name (CN) or Subject Alternative Name (SAN) that does not match the hostname used in the client's request, causing the TLS handshake to fail.", "root_cause_type": "generic", "root_cause_zh": "服务器提供的TLS证书的通用名称(CN)或主题备用名称(SAN)与客户端请求中使用的主机名不匹配,导致TLS握手失败。", "versions": [ { "version": "OpenSSL 3.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Java 17", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Node.js 20", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Nginx 1.24", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Disabling hostname verification entirely (e.g., setting `NODE_TLS_REJECT_UNAUTHORIZED=0`) bypasses the error but exposes the connection to man-in-the-middle attacks.", "fail_rate": 0.7, "condition": "", "sources": [] }, { "action": "", "why_fails": "Adding the hostname to the /etc/hosts file to point to a different IP doesn't fix the certificate mismatch; the server still presents the wrong cert for that hostname.", "fail_rate": 0.4, "condition": "", "sources": [] }, { "action": "", "why_fails": "Some try to use a self-signed certificate with the correct hostname but forget to add the CA to the trust store, causing a different error (unable to verify certificate).", "fail_rate": 0.3, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Reissue the certificate with the correct hostname in the SAN field. For Let's Encrypt: `certbot certonly --standalone -d example.com -d www.example.com` and ensure all alternative names are included.", "success_rate": 0.95, "how": "Reissue the certificate with the correct hostname in the SAN field. For Let's Encrypt: `certbot certonly --standalone -d example.com -d www.example.com` and ensure all alternative names are included.", "condition": "", "sources": [] }, { "action": "If using a reverse proxy, configure SNI (Server Name Indication) to serve the correct certificate based on the hostname. For Nginx: `server_name example.com; ssl_certificate /path/to/cert.pem;`", "success_rate": 0.85, "how": "If using a reverse proxy, configure SNI (Server Name Indication) to serve the correct certificate based on the hostname. For Nginx: `server_name example.com; ssl_certificate /path/to/cert.pem;`", "condition": "", "sources": [] } ], "workarounds_zh": [ "Reissue the certificate with the correct hostname in the SAN field. For Let's Encrypt: `certbot certonly --standalone -d example.com -d www.example.com` and ensure all alternative names are included.", "If using a reverse proxy, configure SNI (Server Name Indication) to serve the correct certificate based on the hostname. For Nginx: `server_name example.com; ssl_certificate /path/to/cert.pem;`" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://www.rfc-editor.org/rfc/rfc6125", "official_doc_section": null, "error_code": "TLS-1002", "verification_tier": "ai_generated", "confidence": 0.87, "fix_success_rate": 0.9, "resolvable": "true", "first_seen": "2023-04-12", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }