I run a little server at (let's call it) nc.example.com, for external access I use Cloudflare tunnel/proxy and have no issues, but for internal LAN access I have a little nginx reverse proxy with a Let's Encrypt certificate on it and custom internal DNS. With Firefox (only Firefox; curl, Chrome, and Edge have no problem), the first time I browse to the site (after opening Firefox, of after not interacting with the site for a couple of minutes) I get the SSL_ERROR_BAD_CERT_DOMAIN error after a wait of about 30 seconds, the site uses HSTS, so Firefox refuses to talk to it. Pressing Ctrl-F5 after getting the error loads the site as if nothing happened. What is really annoying is that the Advanced info shows "Firefox does not trust this site because it uses a certificate that is not valid for nc.example.com. The certificate is only valid for the following names: *.example.com, example.com" I get pretty much the same result if I use a certificate just issues for nc.example.com or for "nc.example.com,example.com". Probably related, but with different results, if I use a certificate issued to "nc.example.com,*.nc.example.com", Firefox immediately tries to go to www.nc.example.com, which doesn't exist. Note I have looked at the results of clicking on SSL_ERROR_BAD_CERT_DOMAIN in the error page and did a character-by-character comparison of the PEM format certificate displayed there with the actual full chain PEM certificate file on the web server and they are identical. A message that the browser doesn't trust a site because it has a certificate not valid for SITE-A, and then says the certificate is only valid for SITE-A sure seems like a bug to me.