Alternative names MISMATCH

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: SSL Report: (

It produced this output:
Fingerprint SHA256: 96bbb55e50aed1895bbc793102e9ba0a701e554fd719bd6ce006548d9ef8e987
Pin SHA256: ipHQko3ewZwdNVc/Q7JRZfKQPm3ehdMyfzlP83UdBdw=
Common names
Alternative names MISMATCH
Serial Number 03b16f5aef9c05fb24c91d104202efb93a57
Valid from Sat, 11 Jan 2020 12:51:35 UTC
Valid until Fri, 10 Apr 2020 12:51:35 UTC (expires in 2 months and 26 days)
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer Let’s Encrypt Authority X3
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency Yes (certificate)
OCSP Must Staple No
Revocation information OCSP
Revocation status Good (not revoked)
DNS CAA No (more info)
Trusted No NOT TRUSTED (Why?)
Mozilla Apple Android Java Windows

My web server is (include version): apache 2

The operating system my web server runs on is (include version): debian 10.2

My hosting provider, if applicable, is: me

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): webmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

1 Like

Hi @philp

that's the expected result. Your certificate has only one domain name, the non-www version.

You try to use it with the www version, that's a mismatch.

-->> Create one certificate with both domain names - non-www and www.

1 Like

i have tried but not sure where it is missing…

root@raspberrypi:/home/pi# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator apache, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel):
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2020-04-14. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt:
    Donating to EFF:



1 Like

If you use

the certificate isn't installed. A server restart is required so your server can use the new certificate.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.