How to fix Node.js ERR_TLS_CERT_ALTNAME_INVALID TLS certificate Subject Alternative Name does not match the hostname?

Obtain a certificate that covers the target hostname: A certificate with the correct SAN passes the hostname check and establishes a trusted connection.

How to fix Node.js ERR_TLS_CERT_ALTNAME_INVALID TLS certificate Subject Alternative Name does not match the hostname?

Use rejectUnauthorized: false for internal/dev connections: Disabling certificate validation bypasses the check; only safe for trusted private networks.

ERR_TLS_CERT_ALTNAME_INVALID

Node.jsERRORCommonTLSHIGH confidence

TLS certificate Subject Alternative Name does not match the hostname

Production Risk

Critical — this error blocks connections to servers with invalid certificates, protecting users from MITM.

What this means

Thrown when a TLS connection is established and the server certificates Subject Alternative Name (SAN) does not match the hostname the client connected to. This is a fundamental TLS security check; a mismatch means the certificate is not valid for that host.

Why it happens

1Connecting to a hostname not listed in the certificate SAN
2Certificate issued for www.example.com but connecting to example.com (or vice versa)
3Self-signed certificate without proper SAN entries

How to reproduce

Triggered during TLS handshake when the certificate hostname validation fails.

trigger — this will error

const https = require('https');
https.get('https://wrong-host.example.com/', (res) => {
  // throws if cert SAN does not include wrong-host.example.com
}).on('error', (err) => {
  console.error(err.code); // ERR_TLS_CERT_ALTNAME_INVALID
});

expected output

Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames

Fix 1

Obtain a certificate that covers the target hostname

WHEN In production — always use a valid certificate

Obtain a certificate that covers the target hostname

// Use Let's Encrypt or your CA to issue a cert for the correct hostname
// The cert SAN should include: example.com, www.example.com

Why this works

A certificate with the correct SAN passes the hostname check and establishes a trusted connection.

Fix 2

Use rejectUnauthorized: false for internal/dev connections

WHEN Only in development or internal networks — never in production

Use rejectUnauthorized: false for internal/dev connections

const https = require('https');
https.get({
  hostname: 'localhost',
  rejectUnauthorized: false, // dev only
}, (res) => { /* ... */ });

Why this works

Disabling certificate validation bypasses the check; only safe for trusted private networks.

Code examples

Triggerjs

const https = require('https');
https.get('https://wrong-host.example.com/', (res) => {
  // throws if cert SAN does not include wrong-host.example.com
}).on('error', (err) => {
  console.error(err.code); // ERR_TLS_CERT_ALTNAME_INVALID
});  // this triggers ERR_TLS_CERT_ALTNAME_INVALID

Handle in try/catchjs

try {
  // operation that may throw ERR_TLS_CERT_ALTNAME_INVALID
  riskyOperation()
} catch (err) {
  if (err.code === 'ERR_TLS_CERT_ALTNAME_INVALID') {
    console.error('ERR_TLS_CERT_ALTNAME_INVALID:', err.message)
  } else {
    throw err
  }
}

Defensive pattern to avoid itjs

// Always use a certificate that covers the exact hostname
// For dev, generate with: mkcert localhost 127.0.0.1
// For prod: use Let's Encrypt or a proper CA

What not to do

✕ Set rejectUnauthorized: false in production

Disabling certificate validation removes all TLS security guarantees and enables MITM attacks.

Same error in other languages

ssl.SSLErrorin Python→x509.CertificateInvalidErrorin Go→

Sources

Official documentation ↗

Node.js Error Codes Documentation

Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev

At a glance

PlatformNode.js Error Codes

CodeERR_TLS_CERT_ALTNAME_INVALID

ClassTLS

SeverityERROR

TierCommon

ConfidenceHIGH

← All Node.js errors