ERR_TLS_CERT_ALTNAME_INVALID
The certificate is otherwise valid, but the hostname you requested isn’t listed in its Subject Alternative Names (SANs) — so the client rejects it as a possible misdirection.
Common causes
- Connecting to a host (e.g.
www.example.com) not included in the certificate’s SANs (example.comonly). - A wildcard
*.example.comcertificate being used for a deeper subdomain likea.b.example.com. - The wrong certificate is bound to the virtual host or load balancer.
How to fix it
- 1
List the SANs on the served certificate and compare against the hostname you’re using:
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null \ | openssl x509 -noout -ext subjectAltName - 2
Reissue the certificate to include every hostname you serve (add the missing SAN).
- 3
Or route the hostname to the endpoint whose certificate already covers it.
Catch these before your users do
SSLNudge detects ERR_TLS_CERT_ALTNAME_INVALID and expiry issues daily and alerts you.