NET::ERR_CERT_COMMON_NAME_INVALID

What Does NET::ERR_CERT_COMMON_NAME_INVALID Mean?

NET::ERR_CERT_COMMON_NAME_INVALID is an SSL/TLS error that occurs when the domain name in the website's URL does not match any of the domain names listed in the SSL certificate. The Common Name (CN) or Subject Alternative Name (SAN) in the certificate must match the domain you are visiting for the browser to trust the connection.

For example, if you visit 'www.example.com' but the SSL certificate is only valid for 'example.com' (without the www prefix), this error will appear. Similarly, accessing a site via its IP address when the certificate only covers domain names, or accessing a subdomain not covered by the certificate, triggers this error.

This is a critical security feature because it prevents attackers from using a valid certificate issued for one domain to impersonate another domain. Without this check, anyone with any valid SSL certificate could potentially intercept traffic meant for any website. The domain matching ensures that the encrypted connection is actually going to the intended destination.

Common Causes

The most common cause is a certificate that does not include all the domain variations the website uses. For instance, a certificate covering 'example.com' but not 'www.example.com', or vice versa. Modern best practice is to include both variations. Similarly, if a website uses subdomains (blog.example.com, shop.example.com), each must be listed in the certificate's SAN field or covered by a wildcard certificate (*.example.com).

Server redirects and DNS configurations can also trigger this error. If a domain redirects to another domain before the SSL handshake completes, the certificate for the destination domain may not match the original domain. Shared hosting environments where multiple domains share the same IP address can cause this if Server Name Indication (SNI) is not properly configured.

Misconfigured reverse proxies, load balancers, or CDNs are another frequent cause. If a proxy terminates SSL but serves the wrong certificate for a particular domain, visitors see this error. Additionally, accessing a website via a raw IP address, a localhost address, or an internal hostname not listed in the certificate will trigger this mismatch.

Step-by-Step Fix

For website visitors: Check the URL carefully - you may have mistyped the domain or be using the wrong variation (www vs non-www). Try the alternative URL version. If the site recently changed domains, the old URL may point to a server with a certificate for the new domain. Clear your DNS cache and try again. If you are on a corporate network, a proxy server may be serving the wrong certificate.

For website administrators: Ensure your SSL certificate's SAN field includes all domain variations your site uses: the bare domain (example.com), www prefix (www.example.com), and any subdomains. Use a wildcard certificate (*.example.com) if you have many subdomains. Check your certificate details using: 'openssl s_client -connect yourdomain.com:443 | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"'.

If you use a reverse proxy or CDN, verify that each domain is configured with the correct SSL certificate. In Nginx, ensure the server_name directive matches the certificate. For multiple domains on one server, configure separate server blocks with the correct ssl_certificate for each. If using Let's Encrypt, include all domain names in the certificate request: 'certbot --nginx -d example.com -d www.example.com'.

Related SSL Errors