SSL certificate mismatch

Today I got the SSL certificate mismatch error in my browser (there were no changes in my Netlify account for months). The error went away after a couple of page refreshes, but I was able to capture this on the CLI (can’t reproduce it anymore, sorry):

% openssl s_client -showcerts -servername salt.tips -connect salt.tips:443 </dev/null

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = ca, L = San Francisco, O = "Netlify, Inc", CN = *.netlify.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = ca, L = San Francisco, O = "Netlify, Inc", CN = *.netlify.com
   i:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
-----BEGIN CERTIFICATE-----
MIIGIzCCBQugAwIBAgIQCypM2oYvF+FkkyCj9bGw4zANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMjAwNjE1MDAwMDAwWhcN
MjEwODAzMTIwMDAwWjBhMQswCQYDVQQGEwJVUzELMAkGA1UECBMCY2ExFjAUBgNV
BAcTDVNhbiBGcmFuY2lzY28xFTATBgNVBAoTDE5ldGxpZnksIEluYzEWMBQGA1UE
AwwNKi5uZXRsaWZ5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AOwJHctI1oxqg0wlz9CZYvbhlVZ6sB0COANCfC9qIjTUpw+TxVnG9/tuRDNkfXes
f7nvjmPlZcfQQKgpmGahX5ndFZmXvCXGMtvO5ZWnqzfv0mxkzTQb6RdDMtPA9Xn/
LvzaFRlxVpeg6xGMweUpLDTJAJWkcMnGAR2mNUc6nuQgteQsg/7I6YpspYZKasR/
2xDj5FasQf2+9HqbJgdSSzQKF46VXL2QRBK5UF1lFeBFWMAiUk42Su+YZy/w5pVF
jlHaVVE42/uG1dyudWAaT65AIIT91eK7GghHv5ppuMZUUmEMV0FUdktMXECqClrt
kknMNie30oRFj1ADXJGGHd0CAwEAAaOCAukwggLlMB8GA1UdIwQYMBaAFA+AYRyC
MWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBSJl47dfzdwOfakpcJRog3jMU/JUzAl
BgNVHREEHjAcgg0qLm5ldGxpZnkuY29tggtuZXRsaWZ5LmNvbTAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIw
L6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3Js
MC+gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LmNy
bDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczov
L3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjB8BggrBgEFBQcBAQRwMG4w
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBGBggrBgEFBQcw
AoY6aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMlNlY3Vy
ZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMIIBBAYKKwYBBAHWeQIEAgSB9QSB
8gDwAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAFyt8z5ywAA
BAMARzBFAiAkjWv47uPwlPgSQP4D+5OB/ZsUfuN+7nDq8PAFSbf+pAIhALaiI9Ca
KAYJGiJH1pxLrRf84LfgGRyWfmvMLhbnZHwxAHYAXNxDkv7mq0VEsV6a1FbmEDf7
1fpH3KFzlLJe5vbHDsoAAAFyt8z55QAABAMARzBFAiEAgfM5RXcPm0Sf7wE/mwSL
AFSfrBe9J99vwWdwx6DXreICIH8LuG6DUlyNEtDqBSD9+kC9wn6/ZuEInn+xXIr4
CzNuMA0GCSqGSIb3DQEBCwUAA4IBAQCTt3KRr4OZl1ZDWP7RS8+DRZudLpMOuH8F
Tp5B+HbfcpBJ5B0qouOu83zu7d0cL9s/XL7TemcGnx1FihRwx5ikrG0Gm1OL83jI
LAGqK2Ii4lIdn7EdmUyUYTtBpyP5dxPTWYb0mG+UGlb6S370mZp19BDtBRmUHzw4
lWCSqIdL5FaqJufRlsDUF4edGCNf36+sTOJJcCXp7DqqW48v00spfjN+Dh0d1fMy
h7M21mSryjZnUisZIPtCWD5IlyJQP/8GdVVGvOJVt+tyJY82BGs4dyy0T4yCL8Fe
454YhgYw51ltZKeB61CKwC73vvN557+iBjR08SleifC+H9mGagxv
-----END CERTIFICATE-----
 1 s:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, ST = ca, L = San Francisco, O = "Netlify, Inc", CN = *.netlify.com

issuer=C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3316 bytes and written 381 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

So, Netlify briefly served its own SSL certificate for my domain. I also ran the following command (the error was already gone at the time when I did this):

dig +short salt.tips
84.201.139.79
130.193.50.240

Was it a DNS caching issue? A server IP rotation? Not very cool to see my own site blocked by Firefox with a big full-screen SSL warning…

https://www.netlifystatus.com/ is all green.

It looks like I’m not the only one who saw this problem: HSTS issue today

We have noticed this issue yesterday as well on our site. Once the site was refreshed the error went away but we have done a SSL check and have noticed that one IP is not verified.

Link to the report here --> https://www.ssllabs.com/ssltest/analyze.html?d=office.getjoan.com&hideResults=on

Our site (office.getjoan.com) has a DNS through Cloudflare and it is set as a CNAME (joan-office.netlify.app) with TTL 5min

I have the same problem on two of my Netlify sites. Refreshing doesn’t seem to help.

hey all, thanks for letting us know about this! We are looking in to this issue and will update here once we know more. Appreciate your patience. :muscle:

hi there,

we’ve found the source of the problem and mitigated this for the time being, and are going to continue to monitor things.

If you continue to see problems like this, please let us know right away by responding to this thread. Thank you!

Just FYI… my site travislaborde.com is still down, and it seems to be the same problem. I had another site down that is now working again…

Hi, @travislaborde, I’m showing the SSL certificate for this site was updated about 20-30 minutes after this was posted and is working now.

If you are still seeing issues, however, please reply here again anytime to let us know. We will be happy to keep troubleshooting issues any issues remain.

Update: We have deployed a permanent fix for this SSL issue.

We hope this solves the issue for everyone who reported it. Please let us know if you receive further reports of insecure messages. Thank you.