My Florida real estate site is serving Solera National Bank's SSL certificate. Not a shared certificate. The exact same certificate with matching serial numbers.
This is a live investigation into what appears to be an SNI routing bug in Firebase Hosting.
The Evidence
I'm not speculating. Here are the actual certificate details I pulled today:
$ openssl s_client -servername buylandfl.com -connect buylandfl.com:443 2>/dev/null | openssl x509 -noout -subject -serial
subject= /CN=unified-wealth.solerabank.com
serial=5DDE25B5E996D4CC128B8A5E70BE99C3
And when I check the actual bank's domain:
$ openssl s_client -servername unified-wealth.solerabank.com -connect unified-wealth.solerabank.com:443 2>/dev/null | openssl x509 -noout -subject -serial
subject= /CN=unified-wealth.solerabank.com
serial=5DDE25B5E996D4CC128B8A5E70BE99C3
Same serial number. My domain is being served the literal same certificate as Solera Bank's wealth management portal.
It's Not Just Me
I found another affected pair:
| Domain | Wrong Cert | Serial |
|---|---|---|
| southfloridawaterfront.homes | CN=www.rkhn.nl | 6B4532...39EC |
A Florida real estate site serving a Dutch domain's certificate.
What I've Tried
- Created entirely new Firebase project
- Updated DNS TXT record
- Completed domain verification (green checkmark)
- Deployed fresh
- Waited 12+ hours
Firebase console says "Certificate active." The wrong certificate persists.
The Pattern
All affected domains:
- Hosted on Firebase Hosting
- Resolve to
199.36.158.100(Firebase shared IP) - Certificates from Google Trust Services (WR3)
- Started around March 22, 2026
This looks like SNI routing returning the wrong certificate from Firebase's edge servers.
How to Check Your Site
openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -subject
If the CN doesn't match your domain, you have the same bug.
What Firebase Says vs. Reality
The official response to "wrong domain in certificate":
"Firebase Hosting certificates cover many domains (as SANs)... wait a few hours."
This doesn't apply here. I'm not seeing a shared SAN certificate missing my domain. I'm seeing a completely different domain's certificate with a different serial number.
Current Status: Still Broken
As of April 4, 2026, 2:00 PM CDT - no resolution. Firebase console shows everything green. Wrong cert persists.
If you're affected, I'd like to document this. Contact: info@buylandfl.com
Full technical writeup with timeline at the canonical URL.
Top comments (0)