Certificate Mismatch

Learning Focus

By the end of this lesson you will know how to identify and fix situations where the wrong certificate is served to clients, causing trust failures, browser warnings, or Cloudflare errors.

What a Certificate Mismatch Means

A certificate mismatch happens when the certificate served by OpenLiteSpeed does not match the domain the client is requesting. The browser or upstream proxy (like Cloudflare) sees a certificate for a different domain and rejects the connection.

Common Causes

Cause	How It Happens
Wrong cert on listener	Listener SSL points to a certificate for a different domain
SNI not configured	Multiple virtual hosts share a listener but only one certificate is served
Default cert shown	The fallback certificate does not match the requested hostname
Cert covers wrong SANs	The certificate was issued for `www.example.com` but not `example.com`
Stale cert after renewal	New cert was issued but old one is still loaded

Diagnostic Steps

Step 1: Check What Certificate Is Served

# Test for a specific domain
openssl s_client -connect your-server-ip:443 -servername example.com 2>/dev/null | \
  openssl x509 -noout -subject -issuer

# Test for a different domain on the same server
openssl s_client -connect your-server-ip:443 -servername other-domain.com 2>/dev/null | \
  openssl x509 -noout -subject -issuer

If both domains show the same certificate and it only covers one domain, you have a mismatch.

Step 2: Check SANs on the Certificate

openssl x509 -in /path/to/cert.pem -noout -text | grep -A1 "Subject Alternative Name"

The output should list all domains the cert is valid for.

Step 3: Verify Listener → Vhost Mapping

In WebAdmin:

Listeners → SSL Listener → SSL Settings — check which certificate files are configured
Listeners → Virtual Host Mappings — ensure each domain maps to the correct virtual host
Each virtual host can have its own SSL certificate if needed

Fixing the Mismatch

Option 1: Use a Wildcard or Multi-Domain Certificate

A wildcard cert (*.example.com) covers all subdomains. A multi-domain cert includes specific SANs.

Option 2: Configure Per-Vhost SSL

For different domains on the same server:

Create separate virtual hosts
Assign each virtual host its own certificate in WebAdmin
Ensure the listener has virtual host mappings for each domain

Option 3: Reload After Certificate Renewal

# After uploading new cert files
sudo /usr/local/lsws/bin/lswsctrl restart

# Verify the new cert is served
openssl s_client -connect localhost:443 -servername example.com 2>/dev/null | \
  openssl x509 -noout -dates

warning

OpenLiteSpeed caches the loaded certificate in memory. After updating cert files on disk, you must perform a graceful reload for the new certificate to take effect.

Key Takeaways

Certificate mismatch usually means the wrong cert is configured on the listener or the cert does not cover all needed domains.
Use openssl s_client -servername to test exactly what certificate is served for each domain.
After certificate changes, always reload OpenLiteSpeed and verify with openssl.

What's Next

Continue to Updates and Upgrades to learn how to keep OpenLiteSpeed and lsphp current.

What a Certificate Mismatch Means​

Common Causes​

Diagnostic Steps​

Step 1: Check What Certificate Is Served​

Step 2: Check SANs on the Certificate​

Step 3: Verify Listener → Vhost Mapping​

Fixing the Mismatch​

Option 1: Use a Wildcard or Multi-Domain Certificate​

Option 2: Configure Per-Vhost SSL​

Option 3: Reload After Certificate Renewal​

Key Takeaways​

What's Next​