SSLLabs "Certificate name mismatch" with dedicated certificate

Hi All,

We have upgraded the certificate for this site to a dedicated certificate. Since we have done this, SSL Labs now reports a “certificate name mismatch” error when we try to scan any domain, EG:

We have a few sites using Cloudflare free certificates and they all scan fine with SSLLabs.

I have spoken to SSLLabs support and that say there is an issue with the domain lookup and SOA. Is this correct? If so, is this something I have to configure?

If anyone could point me in the right direction about this issue it would be really helpful.

Many thanks,


I am not even sure their error message is accurate in the first place.

It does not seem to be so much a mismatch of the certificate name but they appear to be unable to fetch the certificate to begin with. Why that is, is something only they can clarify.

Your domain resolves fine and your Cloudflare certificate appears to be properly in place as well

It does not appear to be IP address related though, as these domains share the same addresses and checks go through

However, your DNS setup appears to be fine. They would need to elaborate on what exactly they consider to be the issue.

Thanks for the response @sandro , first SSL Labs said:

“Certificate name mismatch error occurs when the website domain name accessed is not included under certificate
Also the website is facing DNS lookup issue”

Then I responded to them saying that domain names appear to be correct, and I got this response:

“also you can verify from the certificate authority or the hosting service provider about the DNS SOA record”

Finally I asked them what I need to ask/configure in Cloudflare, they responded with:

"you can ask them to add the website domain

We are using the following IP address ranges: SSL Labs - SSL Pulse - Development SSL Labs server -

You can also whitelist these ip’s to allow scan on your website. In case the issue persists"

It sounds a little to me like the person doesn’t really know what the issue is and is trying to fob me off…

That is not correct I am afraid. The certificate does return the right hostname.

As I mentioned, from the screenshot it seems as if they cant fetch the certificate at all, but that is a completely different error and thats where they’d need to elaborate.

Not really accurate either.

The certificate is unrelated to the SOA record.

I am afraid thats how it appears to me as well.

Of course, I cant comment on whats exactly going on on their service, but to me it seems they cant get the certificate for some reason.

1 Like

You can tell them to run the following command

openssl s_client -connect -servername

That will return

depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, ST = CA, L = San Francisco, O = "CloudFlare, Inc.", CN = CloudFlare Inc ECC CA-2
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = "CloudFlare, Inc.", CN =
verify return:1
Certificate chain
 0 s:/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./
   i:/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=CloudFlare Inc ECC CA-2
 1 s:/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=CloudFlare Inc ECC CA-2
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
Server certificate
subject=/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./
issuer=/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=CloudFlare Inc ECC CA-2

which is the right certificate.

This is additionally confirmed by the link I posted earlier,, as well as by simply opening the site in the browser.

Ask them to elaborate why all of that works and only their service does not.

@sandro Thanks for the help, I will badger them tomorrow and see if I get anywhere.



@sandro Just thought you should know, after some more BS from SSLLabs, I now notice that the test is working again.

I am assuming that there was an issue there end (for some reason), but no one wants to admit it (or knows what they are doing).

Many thanks for the help,


Thanks for the feedback.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.