SSL Certificate Hostname Mismatch

What This Check Does

The SSL Certificate Hostname Mismatch check verifies that the SSL/TLS certificate served by your domain is actually valid for that domain name. DNS Spy compares the monitored hostname against the certificate's Subject Common Name (CN) and Subject Alternative Names (SANs). If the hostname does not match any of the names listed in the certificate, this check fails.

Why It Matters

A hostname mismatch means the certificate was not issued for the domain it's being used on. Browsers treat this as a critical error and display a security warning preventing users from proceeding. This often happens after domain migrations, CDN changes, or when a certificate is installed on the wrong server. It can also occur when the www and non-www variants of a domain aren't both covered by the certificate's SANs.

From a security standpoint, a mismatch might indicate a misconfigured reverse proxy or load balancer serving the wrong certificate — potentially leaking information about your internal infrastructure to external visitors.

Good vs. Bad Configuration

Bad Configuration

The server at example.com is serving a certificate issued for staging.example.com. The hostname does not match, so browsers display "NET::ERR_CERT_COMMON_NAME_INVALID" and block access.

Good Configuration

The server at example.com serves a certificate where the SAN list includes example.com and www.example.com. All monitored hostnames match entries in the certificate and connections proceed without errors.

How DNS Spy Monitors This

DNS Spy retrieves the SSL certificate for each monitored domain and validates the hostname against the certificate's CN and SAN fields during every monitoring cycle. A mismatch triggers an immediate alert. Installing the correct certificate — one that covers your monitored domain — will resolve the alert on the next check.