Certificate domain mismatch (Firefox)
SSL_ERROR_BAD_CERT_DOMAINFirefox's name-mismatch error: the certificate doesn't cover the hostname you're visiting.
What it means
SSL_ERROR_BAD_CERT_DOMAIN is Firefox's version of a hostname mismatch. The certificate is valid and trusted, but the name in the address bar isn't among the names the certificate was issued for, so Firefox refuses to apply it to this connection. It's the same underlying problem Chrome reports as a common-name error.
When it happens
Typical triggers are a certificate that covers the apex but not www (or vice versa), a wildcard used on a domain it doesn't cover, or a shared-hosting server returning the wrong default certificate for the requested hostname. It also appears right after a domain change when the new name isn't on the certificate yet.
How to fix it
- Reissue the certificate to include every hostname in use, both the apex and the www form.
- Keep in mind a wildcard covers subdomains but not the bare domain, so add the apex separately if needed.
- On multi-site servers, confirm Server Name Indication is set up so each hostname gets the right certificate.
- Check the served certificate's name list against the hostname after reissuing.
Check this site’s certificate
Paste the domain and Sitewell shows the certificate’s expiry, the hostnames it covers, the chain, and the issuer — enough to pin down what triggered this error. Free, no signup.
Related errors
NET::ERR_CERT_COMMON_NAME_INVALIDThe hostname you visited isn't covered by the certificate's names, so the browser treats it as the wrong certificate.
SEC_ERROR_EXPIRED_CERTIFICATEFirefox's way of saying the certificate is past its expiry date or the system clock is wrong.
NET::ERR_CERT_AUTHORITY_INVALIDThe browser can't trace the certificate back to a trusted authority, which is what happens with self-signed certs or a missing intermediate.