problem hub
Read-only firstNginx serving the wrong SSL certificate
Inspect the live certificate, Nginx server block, Certbot inventory, and DNS before reissuing or reloading TLS config.
Safest first command
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
Before you run this
Expected output: Subject, issuer, and validity dates for the certificate currently served to that hostname.
When not to use it: Do not paste certificate or host details publicly without redacting internal names.
Expected output example
subject=CN = example.com
issuer=C = US, O = Let's Encrypt, CN = R11
notBefore=Jul 1 00:00:00 2026 GMT
notAfter=Sep 29 23:59:59 2026 GMT
How to read the result
The hostname must appear in the served certificate SANs and the active Nginx server block must point at the intended certificate files.
What to check next
Subject/SAN does not include hostname
Means: The server is presenting a certificate for another name.
Next step: Read the served SANs and Nginx SSL certificate directives.
Nginx config points at an old path
Means: The wrong server block or certificate file may be active.
Next step: Map ssl_certificate and server_name directives.
Certbot inventory has the correct certificate
Means: Renewal may be fine; Nginx may not be using that lineage.
Next step: List Certbot certificate inventory.
TLS decision tree
Separate the certificate served over the network from certificate files on disk. The live endpoint is the source of truth for what users see.
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -datesopenssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltNamegrep -RInE 'ssl_certificate|ssl_certificate_key|server_name' /etc/nginx/sites-enabled /etc/nginx/conf.d 2>/dev/nullsudo certbot certificates
Bad fixes to avoid
Do not reissue certificates blindly, edit every server block, or reload Nginx before proving which certificate is live and which config owns the hostname.
Common causes
- Wrong default_server block handles the hostname.
- Nginx points at an old certificate lineage.
- DNS reaches a different server than expected.
- Certificate renewed but Nginx was not reloaded after a safe config test.
What not to change yet
- Do not delete certificate files.
- Do not reload Nginx before nginx -t.
- Do not change DNS until the live certificate path is understood.
Stop and escalate if
- The next step could interrupt users, remove data, or lock out access.
- The output includes secrets, customer data, or private infrastructure details.
- You cannot explain the blast radius of the repair command.
supporting commands
Command path
Guides and drills
- Nginx 502 hub Use when TLS is correct but proxying fails.
- Certbot renewal failed hub Use when renewal or dry-run fails.