Error: Download failed. SSL: certificate subject name

Last update: 17 October, 2017

If you get an error while trying to update that looks like one of these messages:

Download failed. SSL: certificate subject name ‘*’ does not match target host name ‘’

Download failed. cURL error 51: SSL: no alternative certificate subject name matches target host name ‘’

The Problem

The server you’re hosted on uses a very old version of CURL and / or OpenSSL, the library used to connect to other servers. When you send an update request to our servers, we do that over a secure connection. The reason behind that is that the request contains information about your site as well as your license key. All our connections run through Sucuri’s Website Application Firewall, which keeps us safe from so called DDOS attacks, unfortunately something we’ve had to bear. To be able to do that, we use a system called Server Name Indication (SNI). Every browser after IE6 supports this, and every major CURL version released after March 2008 supports this. Unfortunately, it seems your server is using software older than that.

The Solution

Please ask your hosting provider to update both your SSL library and CURL and you should be ok. You can find your CURL version like this, but unfortunately that’s not all there’s to it. The OpenSSL version used should also be 1.0 or higher, or an equivalent other SSL library that supports SNI, more details can be found below.

We don’t like telling people to contact their hosts. Unfortunately, there are two solutions for us here: fix it for everyone by using an insecure connection, thereby creating security issues, or asking you to contact your host. We’ve chosen the latter. Feel free to send your host this page and specifically the technical paragraph below.

What to do if your host doesn’t want to fix it?

As the software we’re asking your host to use is over 6 years old and several major security problems have been found in these libraries through these years, you should run, not walk, away from your host if they refuse to do this.

Technical background

To be able to use SNI you need:

  1. A version of CURL that supports it, at least 7.18.1, according to the change logs. CURL 7.18.1 was released on March 30th, 2008.
  2. This version of CURL should be compiled against a library that supports SNI, usually OpenSSL 0.9.8j or higher as that enables TLS by default, see below. 0.9.8j
    was released on January 7th, 2009.
  3. To use TLS 1.0 or higher and not use SSL v3. Because SSL v3 is insecure, you shouldn’t use that anyway.

Was this article helpful? ·