How To Fix SSL Certificate Name Mismatch Error?

All of us have at some time ended up on a website that shows a security warning, something like this:- "This is probably not the site you are looking for!"

chrome-mismatch

This is a snapshot of Google Chrome displaying a security warning. The same message is displayed in different ways on various browsers and on their different versions.

This is a common example of a name mismatch error. It occurs when the domain name (or SAN) in the SSL certificate of the website does not match the website address entered into the address bar by the user. This means that even though the website has a security certificate, the certificate was issued to a different domain than the one the user accessed.

For Example,

If the website does not have the domain example.com listed in its SSL certificate and you try to access the website by typing example.com, a name mismatch error will occur. This is because the certificate has only been issued to the fully qualified domain name www.example.com. If the user types any internal names, it will automatically show an SSL certificate name mismatch error.

This can also happen if instead of using a certificate provided by a valid SSL Certificate provider, the site uses a self-signed alternative.

Multi Domain SSL Certificates (SAN SSL) come to the rescue of website owners here. As you may already be aware, SAN helps you secure multiple primary domains and subdomains in a single certificate. Website owners can procure a SAN SSL certificate to get all these possible domain names under a single roof.

As a website user (and not an owner), you should be aware of the fact that this warning means that a hacker may be trying to carry out a phishing attack by posing as an imposter website. But the probability of that happening is very low since the major cause is the mismatch of certificates discussed above. However, it is advised that you cancel the connection and notify the website administrator immediately.

Different name mismatch error in the different browser

Internet Explorer - "There is a problem with this website's security certificate."

IE-Error

 

Internet Explorer 6 - "The name on the security certificate is invalid/ does not match the name of the site."

Internet Explorer 7- "The security certificate presented by this website was issued for a different website's address."

security-alert

security-error

Firefox 2 - "You have attempted to establish a connection with "www.example.com". However, the security certificate presented belongs to another. It is possible, though unlikely, that someone may be trying to intercept your communication with this website.

If you suspect the certificate shown does not belong to "www.example.com", please cancel the connection and notify the site administrator."

Firefox 3 - "www.phishingsite.com uses an invalid security certificate. The certificate is only valid for www.example.com"

secure-connection

Safari - "This certificate is not valid (hostname mismatch)"

Safari Error

Reasons Behind SSL Certificate Name Mismatch Error

#1. Not adding website address as SAN to the certificate

As detailed above, not adding the website address as a Subject Alternative Name to your SSL certificate can result in a name mismatch error. This is the most cause.

Website owners would prefer that users who type in their site’s web address devoid of the ‘www’, to be redirected to the actual site. Most SSL certificate providers provide the option of acquiring a SAN SSL which comes with the option of adding multiple domain names or IP addresses.

#2. Accessing a website using its internal name

If the user is trying to access a server using its internal name, it will show a name mismatch error. This is because the internal name is not registered with the SSL certificate. It may be having only the public name. This can also be overcome using a SAN or UC certificate.

#3. The website shares its IP address with another that has SSL

It can also happen if the website user is trying to access does not have an SSL certification and instead, another site that it shares its IP with does.

This can occur due to two reasons:

  • The website is on a shared host - If your website exists on a shared host with other websites which have separate SSL certificates, it can interfere with your site. Also, suppose you’re running several websites on the same host and some of these sites have SSL and some others don’t. When accessing the sites that aren’t certified with SSL from a valid SSL certificate provider, it will show a ‘name not resolved’ error. If you click on proceed, it will redirect you to the site with SSL while the domain remains that of the site without SSL. 
  • The client and/or server do not support SNI - SNI is Server Name Indication. It is an extension of SSL. When an SSL handshake begins, SNI is used by the client to indicate which domain name is attempting to make a connection to the server. Most new servers and clients support SNI. But if the server is not SNI supported, the user will see only the default SSL certificate. On the other hand, if the client is not SNI supported, they’ll only be able to view the default site’s certificate. So make sure that as a website owner, your server is SNI supported. Otherwise, you can get a dedicated IP address.

#4. The website is defunct

It may happen that your website is defunct and some other website has taken over your old IP address. If you try to access the new website using your domain name, it will take you to the other website since the DNS server settings consist of your old IP.

To avoid this confusion, remember to change the DNS settings so that it is pointing to your new IP.

#5. The hosting platform has pre-configured SSL settings

If your website host has pre-configured SSL settings, it forces SSL on each of its domains. This can interfere with the SSL certificate you have bought and installed from your SSL certificate provider, creating a mismatch error. 

Fix SSL Certificate Name Mismatch Error- Using SSL Checker

Every SSL Certificate Provider gives you the option of using their SSL Checker.

First, you’ll need to enter your website domain into the SSL checker.

  • For case 1, when the site address is not included in the SAN, click the ‘Ignore certificate mismatch’ in the SSL checker. You can then see a full analysis wherein you can check if the right domains and IP addresses have been included.
  • In case 5, when the hosting provider has pre-configured SSL settings, do the same as with the previous case. Click on ‘Ignore certificate mismatch’. If the SAN consists of the name of your hosting provider, the suspicion can be confirmed. In this case, you’ll need to ask your host to remove their SSL and install yours.

To use SSL checker, click here.

Conclusion

As the owner or user of a legitimate website, you shouldn’t be subject to this kind of error message. As a website owner, be sure to configure your server properly. Make use of SSL checkers whenever necessary.

digiCert
SSL2BUY