Incorrect certificate because this client doesn't support SNI

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command:all commands from step by step:

It produced this output:
Congratulations! You have successfully enabled
You should test your configuration at:

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):Ubuntu 16

My hosting provider, if applicable, is:ovh

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

Hi there all,
there is some weeks that my site certificate is not work.
Google Chrome give me in english something like: the connection to this site is not protected.

I reinstall all new thinks step-by-step from the site:

And all the result was ok.

But if I go to to test the site I take some errors like:
Incorrect certificate because this client doesn’t support SNI
Alternative names - INVALID
[IE 8 / XP] Server sent fatal alert: handshake_failure

Can anybody please help me ?
Thanks a lot

Hi @denisj

there are some checks of your domain -

Your non-www works

Domainname Http-Status redirect Sec. G 301 0.060 A 302 0.060 A 200 0.410 I 200 0.400 N
Certificate error: RemoteCertificateNameMismatch

your www not. Reason:

Your certificate
expires in 90 days - 1 entry

has only one domain name, the www version is missing. So create one certificate with both domain names and use that.


-d -d

and all other parameter.

The second problem - it's simple: Ignore it.

Do you have an own ip? If not, this ip is shared, so a lot of domains use the same ip. That requires SNI support. Browsers without SNI are too old, nobody should use XP and IE6 to visit websites.

The domain uses a wildcard certificate. There are some other domains. If I check one of these other domains via Ssllabs, there is the same message: "Wrong certificate", because browsers without SNI see the certificate.

So this "problem" isn't really a problem.

Dear Juergen,
thanks a lot for your help.

I have missing the “ServerAlias” in my apache2 conf file
and now I add it. It was “ServerAlias *”
Then I make also a certificate for the … and all was ok.

I must wait in order to make this efect please ?
I ask because when i go to I still have an error on chrome.
And the site still give me error like:
Certificate error: RemoteCertificateNameMismatch

Thanks a lot again

You have to recheck the domain.

I've created the last check - 13.05.2019 20:58:53 - didn't see you have already tested the domain.

I will work more tomorow morning… maybe something will change.
For now thanks a lot for your help

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.