The domain is using an incorrect SSL certificate despite selecting the correct certificate in Plesk

Symptoms

• When accessing the domain from a web browser, the SSL certificate assigned to the public IP address is displayed (Tools & Settings > IP Addresses > Public IP Address > SSL/TLS Certificate).
• During the checks from outside, the domain shows the incorrect SSL certificate.
• Local check returns the correct certificate. 

• The web browser displays a message that the site is not secure:

  net::ERR_CERT_COMMON_NAME_INVALID

Cause

The server is behind a proxy server or firewall/network filter. Or the third-party application changes the certificate during the request (BitNinja, Proxmox, or similar)

Resolution

Do the following steps:

1. Connect to the Plesk server via SSH.

2. Check the SSL certificate via a local connection:

   # openssl s_client -servername example.com -connect 100.200.100.5:443 2/dev/null | openssl x509 -text | head -20
   Certificate:
         Data:
             Version: 3 (0x2)
             Serial Number:
                 05:20:19:ef:13:fa:4f:62:07:d5:90:4c:c0:0c:0c:2a:cd:46
             Signature Algorithm: sha256WithRSAEncryption
             Issuer: C=US, O=Let's Encrypt, CN=R11
             Validity
                 Not Before: Jul 14 18:37:42 2025 GMT
                 Not After : Oct 12 18:37:41 2025 GMT
             Subject: CN=example.com

   The server's 100.200.100.5 public IP address is assigned to the server's network interface, where Plesk is installed. As you can see locally, the server works with the correct certificate example.com.

3. Check the SSL certificate from the outside server:

   # openssl s_client -servername example.com -connect 100.200.100.5:443 2/dev/null | openssl x509 -text | head -20
   Certificate:
         Data:
             Version: 3 (0x2)
             Serial Number:
                 05:4a:df:0c:49:25:08:98:14:e9:6b:d8:15:8b:44:64:31:1a
             Signature Algorithm: sha256WithRSAEncryption
             Issuer: C=US, O=Let's Encrypt, CN=R11
             Validity
                 Not Before: Jul 17 17:37:41 2025 GMT
                 Not After : Oct 15 17:37:40 2025 GMT
             Subject: CN=another-domain.com

   Checking the domain from an external resource shows a different certificate another-domain.com.

Possible reasons:

1. The third-party application changes the certificate during the request (BitNinja, Proxmox, or similar).
   Configure the third-party application to prevent this behaviour.
   For example: Disable HTTPS on the WAF 2.0 module in BitNinja and restart Nginx, Apache, and the BitNinja client of the server:

   # systemctl restart bitninja.service
   # systemctl restart nginx
   # systemctl restart apache2 || httpd

   This will disable BitNinja's interaction with SSL certificates and should resolve the incorrect certificate issue when accessing the site from outside. You should contact BitNinja support to investigate this behavior further.
    

2. If no third-party extensions are used and a different certificate is used when connecting from an external resource, this usually indicates the presence of a proxy server, firewall, or network filter in front of the server somewhere in the server infrastructure or at the ISP.
   Check your server infrastructure for proxying/filtering or contact your ISP to determine the problem on the ISP side.