ERR_CERT_COMMON_NAME_INVALID occurs when the domain name the browser is connecting to does not match the Common Name (CN) or any Subject Alternative Name (SAN) listed in the server's certificate. Modern certificates use the SAN extension to specify which domains they are valid for — the CN field is largely ignored by current browsers. This error indicates a mismatch: the certificate was issued for a different domain, or the domain you are accessing (including subdomain variations like www vs non-www) was not included when the certificate was created.
The certificate was issued for example.com but you are accessing www.example.com, or vice versa. Certificates must explicitly list every domain and subdomain they cover in the SAN field. A certificate for example.com does not automatically cover www.example.com unless it is listed as a SAN or a wildcard certificate is used.
A wildcard certificate for *.example.com covers sub.example.com but does NOT cover sub.sub.example.com (multi-level subdomains) or the bare domain example.com itself. Accessing a domain not covered by the wildcard triggers this error.
When multiple HTTPS sites share the same IP address, the server uses Server Name Indication (SNI) to select the correct certificate. If SNI is misconfigured or the default certificate does not match the requested domain, the wrong certificate is presented.
The domain's DNS records may have been changed to point to a different server that has a valid certificate, but for a different domain. This is common after migrations or IP address changes.
Check which domains the certificate is valid for by examining its Subject Alternative Names. The domain you are accessing must be listed here.
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text | grep -A1 'Subject Alternative Name'
Confirm that the domain's A/AAAA records point to the server that has the correct certificate installed. DNS mispointing is a common cause after migrations.
Check DNS RecordsIf the domain is missing from the certificate, reissue it with all required domains listed. For Let's Encrypt, specify all domains with the -d flag.
sudo certbot certonly --nginx -d yourdomain.com -d www.yourdomain.com
If the server hosts multiple sites, ensure each virtual host has the correct ssl_certificate directive pointing to the right certificate file. Test SNI by specifying the servername in openssl.
openssl s_client -connect YOUR_IP:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
The browser does not trust the Certificate Authority that signed the server's SSL certificate.
The server's SSL/TLS certificate has expired or is not yet valid according to the system clock.
A certificate in the TLS handshake was corrupt, contained invalid signatures, or could not be parsed.