TLS证书主机名不匹配:证书的CN或SAN与请求的主机名不匹配
TLS certificate hostname mismatch: the certificate's CN or SAN does not match the requested hostname
ID: security/tls-certificate-hostname-mismatch
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| OpenSSL 3.0 | active | — | — | — |
| Java 17 | active | — | — | — |
| Node.js 20 | active | — | — | — |
| Nginx 1.24 | active | — | — | — |
根因分析
服务器提供的TLS证书的通用名称(CN)或主题备用名称(SAN)与客户端请求中使用的主机名不匹配,导致TLS握手失败。
English
The TLS certificate presented by the server has a Common Name (CN) or Subject Alternative Name (SAN) that does not match the hostname used in the client's request, causing the TLS handshake to fail.
官方文档
https://www.rfc-editor.org/rfc/rfc6125解决方案
-
Reissue the certificate with the correct hostname in the SAN field. For Let's Encrypt: `certbot certonly --standalone -d example.com -d www.example.com` and ensure all alternative names are included.
-
If using a reverse proxy, configure SNI (Server Name Indication) to serve the correct certificate based on the hostname. For Nginx: `server_name example.com; ssl_certificate /path/to/cert.pem;`
无效尝试
常见但无效的做法:
-
70% 失败
Disabling hostname verification entirely (e.g., setting `NODE_TLS_REJECT_UNAUTHORIZED=0`) bypasses the error but exposes the connection to man-in-the-middle attacks.
-
40% 失败
Adding the hostname to the /etc/hosts file to point to a different IP doesn't fix the certificate mismatch; the server still presents the wrong cert for that hostname.
-
30% 失败
Some try to use a self-signed certificate with the correct hostname but forget to add the CA to the trust store, causing a different error (unable to verify certificate).