The latest articles on DEV Community by Alex Bouchard (@abouchard11). https://dev.to/abouchard11 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3869269%2Fe969525e-a5ad-4e7e-9e36-362d42161f3d.png https://dev.to/abouchard11 en Alex Bouchard Thu, 09 Apr 2026 07:57:44 +0000 https://dev.to/abouchard11/firebase-hosting-ssl-bug-my-site-is-still-serving-a-banks-certificate-4208 https://dev.to/abouchard11/firebase-hosting-ssl-bug-my-site-is-still-serving-a-banks-certificate-4208 <p>My Florida real estate site is serving Solera National Bank's SSL certificate. Not a shared certificate. The <em>exact same certificate</em> with matching serial numbers.</p> <p>This is a live investigation into what appears to be an SNI routing bug in Firebase Hosting.</p> <h2> The Evidence </h2> <p>I'm not speculating. Here are the actual certificate details I pulled today:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>openssl s_client <span class="nt">-servername</span> buylandfl.com <span class="nt">-connect</span> buylandfl.com:443 2&gt;/dev/null | openssl x509 <span class="nt">-noout</span> <span class="nt">-subject</span> <span class="nt">-serial</span> <span class="nv">subject</span><span class="o">=</span> /CN<span class="o">=</span>unified-wealth.solerabank.com <span class="nv">serial</span><span class="o">=</span>5DDE25B5E996D4CC128B8A5E70BE99C3 </code></pre> </div> <p>And when I check the actual bank's domain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>openssl s_client <span class="nt">-servername</span> unified-wealth.solerabank.com <span class="nt">-connect</span> unified-wealth.solerabank.com:443 2&gt;/dev/null | openssl x509 <span class="nt">-noout</span> <span class="nt">-subject</span> <span class="nt">-serial</span> <span class="nv">subject</span><span class="o">=</span> /CN<span class="o">=</span>unified-wealth.solerabank.com <span class="nv">serial</span><span class="o">=</span>5DDE25B5E996D4CC128B8A5E70BE99C3 </code></pre> </div> <p><strong>Same serial number.</strong> My domain is being served the literal same certificate as Solera Bank's wealth management portal.</p> <h2> It's Not Just Me </h2> <p>I found another affected pair:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Domain</th> <th>Wrong Cert</th> <th>Serial</th> </tr> </thead> <tbody> <tr> <td>southfloridawaterfront.homes</td> <td>CN=<a href="http://www.rkhn.nl" rel="noopener noreferrer">www.rkhn.nl</a> </td> <td>6B4532...39EC</td> </tr> </tbody> </table></div> <p>A Florida real estate site serving a Dutch domain's certificate.</p> <h2> What I've Tried </h2> <ul> <li>Created entirely new Firebase project</li> <li>Updated DNS TXT record</li> <li>Completed domain verification (green checkmark)</li> <li>Deployed fresh</li> <li>Waited 12+ hours</li> </ul> <p>Firebase console says "Certificate active." The wrong certificate persists.</p> <h2> The Pattern </h2> <p>All affected domains:</p> <ul> <li>Hosted on Firebase Hosting</li> <li>Resolve to <code>199.36.158.100</code> (Firebase shared IP)</li> <li>Certificates from Google Trust Services (WR3)</li> <li>Started around March 22, 2026</li> </ul> <p>This looks like SNI routing returning the wrong certificate from Firebase's edge servers.</p> <h2> How to Check Your Site </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>openssl s_client <span class="nt">-servername</span> yourdomain.com <span class="nt">-connect</span> yourdomain.com:443 2&gt;/dev/null | openssl x509 <span class="nt">-noout</span> <span class="nt">-subject</span> </code></pre> </div> <p>If the CN doesn't match your domain, you have the same bug.</p> <h2> What Firebase Says vs. Reality </h2> <p>The <a href="https://groups.google.com/g/firebase-talk/c/3jgZ1vJ1t4s" rel="noopener noreferrer">official response</a> to "wrong domain in certificate":</p> <blockquote> <p>"Firebase Hosting certificates cover many domains (as SANs)... wait a few hours."</p> </blockquote> <p><strong>This doesn't apply here.</strong> I'm not seeing a shared SAN certificate missing my domain. I'm seeing a completely different domain's certificate with a different serial number.</p> <h2> Current Status: Still Broken </h2> <p>As of April 4, 2026, 2:00 PM CDT - no resolution. Firebase console shows everything green. Wrong cert persists.</p> <p>If you're affected, I'd like to document this. Contact: <a href="mailto:info@buylandfl.com">info@buylandfl.com</a></p> <p><em>Full technical writeup with timeline at the canonical URL.</em></p> firebase ssl security webdev