Fixing ERR_CERT_COMMON_NAME_INVALID On Subdomain

Experiencing the ERR_CERT_COMMON_NAME_INVALID error can be frustrating, especially when you're trying to access your website or application. This error essentially means that the SSL certificate presented by the server doesn't match the domain name you're trying to access. In this comprehensive guide, we'll delve into the root causes of this issue and provide practical steps to resolve it, ensuring your subdomain works smoothly.

Understanding the ERR_CERT_COMMON_NAME_INVALID Error

The ERR_CERT_COMMON_NAME_INVALID error arises when your browser detects a mismatch between the domain name on the SSL certificate and the domain name you're attempting to visit. SSL certificates are crucial for establishing a secure, encrypted connection between a user's browser and the web server. They verify the identity of the server and ensure that data transmitted is protected from eavesdropping and tampering. When the common name (or subject alternative names) listed in the certificate doesn't align with the website's address, this error pops up. This mismatch could stem from several underlying issues, which we will explore in detail.

Common Causes of the Error

To effectively troubleshoot the ERR_CERT_COMMON_NAME_INVALID error, it’s essential to understand the potential causes. Here are some common reasons why you might encounter this issue:

• Certificate Issued for a Different Domain: The SSL certificate might have been issued for a different domain or subdomain. This is one of the most frequent causes. For instance, a certificate issued for example.com won't work for subdomain.example.com unless it's a wildcard certificate (*.example.com) that covers all subdomains.
• Incorrectly Configured Subdomain: The subdomain might not be correctly configured to point to the server hosting the SSL certificate. This often happens when DNS records, specifically CNAME or A records, are not set up properly. If your subdomain's DNS settings don't correctly point to the server, the browser will connect to the wrong server, leading to a certificate mismatch.
• Certificate Not Covering the Subdomain: If you're using a standard SSL certificate that only covers the main domain, it won't be valid for subdomains. You'll need a wildcard certificate or a multi-domain (SAN) certificate that explicitly includes your subdomain.
• Expired SSL Certificate: An expired SSL certificate is another common culprit. Certificates have a limited validity period, and if the certificate has expired, the browser will display this error. Regularly renewing your SSL certificates is crucial to maintaining a secure connection.
• Hostname Mismatch: Sometimes, the hostname on the server configuration doesn’t match the domain name in the certificate. This could be due to misconfiguration in the server settings or virtual host configurations.
• Proxy or CDN Issues: If you’re using a proxy service or a Content Delivery Network (CDN), there might be issues with how the SSL certificate is being handled. Some configurations might interfere with SSL handling, causing the certificate to not be correctly presented to the browser.
• HSTS (HTTP Strict Transport Security): HSTS is a security policy that forces browsers to access a website only over HTTPS. If a site has HSTS enabled and the certificate is invalid, the browser will prevent access to the site, displaying the ERR_CERT_COMMON_NAME_INVALID error more prominently.

Troubleshooting Steps to Resolve the Error

Now that we understand the common causes, let's dive into the troubleshooting steps to resolve the ERR_CERT_COMMON_NAME_INVALID error. Addressing this issue requires a systematic approach to identify and rectify the underlying problem.

1. Verify Your SSL Certificate

The first step is to verify your SSL certificate to ensure it's valid and covers your domain or subdomain. You can use online SSL checker tools to inspect the certificate details. These tools will show you information such as the certificate's issuer, validity period, and the domains it covers.

• Check Certificate Validity: Ensure the certificate hasn't expired. If it has, you'll need to renew it with your certificate provider.
• Verify Domain Coverage: Confirm that the certificate covers the domain or subdomain you're trying to access. If you're using a subdomain, ensure that your certificate is either a wildcard certificate or a multi-domain (SAN) certificate that includes the subdomain.

2. Check Your DNS Settings

Incorrect DNS settings are a frequent cause of this error. DNS records tell the internet where to find your server, so it's crucial to ensure they are correctly configured.

• Verify CNAME Records: If you’re using a CNAME record for your subdomain, make sure it points to the correct target domain. A CNAME record creates an alias, so it needs to accurately point to the domain where your application is hosted.
• Check A Records: For direct domain-to-IP mapping, verify that your A records point to the correct IP address of your server. An incorrect IP address will lead the browser to the wrong server.
• Propagation Time: After making changes to your DNS settings, it can take some time for the changes to propagate across the internet. This propagation time can range from a few minutes to 48 hours. Use online DNS propagation checkers to see if your changes have been fully propagated.

3. Review Your Server Configuration

Your server’s configuration plays a crucial role in serving the SSL certificate correctly. Misconfigurations can lead to the ERR_CERT_COMMON_NAME_INVALID error.

• Virtual Host Configuration: If you’re using virtual hosts (common in Apache and Nginx), ensure that each virtual host is correctly configured with the appropriate SSL certificate. The server needs to know which certificate to present for each domain or subdomain.
• Hostname Mismatch: Verify that the hostname configured on your server matches the domain name in your SSL certificate. This is a common oversight that can easily be corrected.

4. Investigate Proxy and CDN Settings

If you're using a proxy service or a CDN, these services can sometimes interfere with SSL certificate handling. Incorrect configurations or issues within these services can lead to certificate mismatches.

• SSL/TLS Settings: Check the SSL/TLS settings in your proxy or CDN configuration. Ensure that SSL is properly enabled and configured for your domain.
• Proxied Traffic: If you're using a service like Netlify, ensure that the traffic is correctly proxied. Incorrect proxy settings can prevent the SSL certificate from being correctly served.

5. Clear Browser Cache and SSL State

Sometimes, your browser's cache can store outdated SSL certificates, leading to the ERR_CERT_COMMON_NAME_INVALID error. Clearing your browser's cache and SSL state can resolve these issues.

• Clear Browser Cache: Clear your browser's cache and cookies. This will remove any outdated information that might be causing the error.
• Clear SSL State: In Chrome, you can clear the SSL state by going to Settings > Privacy and security > Clear browsing data > Advanced. Select