Back to All Scenarios
PASSEDnetwork / ssl_offload_mismatch
SSL Offload Certificate Mismatch
During a certificate renewal, the wrong certificate is applied to the load balancer's SSL offload profile. The certificate is for a different domain (staging.acmecorp.com instead of www.acmecorp.com). Browsers show certificate name mismatch warnings. HPKP pins do not match.
Pattern
LOAD_BALANCER_EVENT
Severity
CRITICAL
Confidence
85%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | LOAD_BALANCER_EVENT | LOAD_BALANCER_EVENT | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 22 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
HAProxy load balancer. SSL termination at LB. Certificate renewed but wrong PEM file uploaded (staging cert). HPKP configured with 60-day max-age. 20,000 daily visitors.
Injected Error Messages (2)
HAProxy SSL certificate mismatch — frontend 'https-in' serving certificate CN=staging.acmecorp.com instead of CN=www.acmecorp.com, certificate SAN does not include www.acmecorp.com, SSL handshake completing but browsers showing ERR_CERT_COMMON_NAME_INVALID
Production website certificate error — www.acmecorp.com showing 'Your connection is not private' in all browsers, certificate subject mismatch: expected www.acmecorp.com got staging.acmecorp.com, HSTS preventing bypass, Chrome: NET::ERR_CERT_COMMON_NAME_INVALID, 20,000 daily users affected
Neural Engine Root Cause Analysis
HAProxy load balancer LB-01 is serving an incorrect SSL certificate for the production domain. The frontend 'https-in' is configured with a staging certificate (CN=staging.acmecorp.com) instead of the production certificate (CN=www.acmecorp.com), causing SSL handshake failures and browser certificate validation errors. This is likely due to a configuration error during deployment or certificate renewal process that accidentally deployed the staging certificate to production infrastructure.
Remediation Plan
1. Immediately verify the correct production SSL certificate is available on the HAProxy server. 2. Update HAProxy configuration to reference the correct certificate files for CN=www.acmecorp.com in the 'https-in' frontend section. 3. Validate certificate SAN includes www.acmecorp.com domain. 4. Reload HAProxy configuration using 'haproxy -f /etc/haproxy/haproxy.cfg -c' to test, then 'systemctl reload haproxy' to apply. 5. Test SSL handshake and verify browser accepts certificate. 6. Monitor for cascading service recovery given 12 correlated incidents.
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmncjml0802p7obqehw16caim