Api.generativeai.googleapis.com missing from SSL Certificate SAN list (Hostname Mismatch Error)

Nathan_Scanlan · October 11, 2025, 7:24am

This text is designed to be a formal bug report or a detailed forum post. It is structured to be immediately actionable by the development team responsible for the Gemini API infrastructure.

Discussion Body Text

Title Recommendation (for context): api.generativeai.googleapis.com missing from SSL Certificate SAN list (Hostname Mismatch Error)

Problem Summary

We are experiencing a critical SSL Hostname Mismatch error when attempting to connect to the Gemini API’s REST endpoint, api.generativeai.googleapis.com. This is preventing all API requests from succeeding, as the connection is rejected during the SSL handshake.

A review of the SSL certificate being served shows that the target hostname, api.generativeai.googleapis.com, is currently missing from the certificate’s Subject Alternative Name (SAN) list.

Steps to Reproduce

This issue is consistently reproducible across multiple client environments using standard HTTPS clients.

1. Verification via SSL Checker (e.g., OpenSSL command):

Bash

echo | openssl s_client -servername api.generativeai.googleapis.com -connect api.generativeai.googleapis.com:443 2>&1 | grep "Subject Alternative Name"

The output will confirm the current hostnames listed in the certificate’s SAN fields, none of which will match api.generativeai.googleapis.com.

2. Python Client Example (Relevant to the attached fsai.py file):

An attempt to make any API call using the official Google GenAI SDK or a standard library like requests fails immediately.

Python

import google.generativeai as genai
# ... configure API key ...
genai.list_models() # or any API call

Actual Result (Error Details)

The request is rejected by the client-side SSL verification process with one of the following errors:

Python SDK/Requests: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for '...'
General SSL Client: ERR_CERT_COMMON_NAME_INVALID or similar handshake failure.

The certificate served by the endpoint does not include api.generativeai.googleapis.com in its Subject Alternative Name (SAN) field.

Expected Result

The SSL certificate for the api.generativeai.googleapis.com endpoint should contain the hostname api.generativeai.googleapis.com in its Subject Alternative Name (SAN) list, allowing for a successful and secure SSL handshake.

Attachments

Please see the attached file image_e31c19.png which contains a screenshot of the certificate details, confirming the missing hostname from the SAN list.

Environment Details (Optional but helpful):

Target Endpoint: api.generativeai.googleapis.com
Client Library: google-genai Python library (or general HTTPS client)
Operating System: [Windows 11]
Python Version: [Python Version 3.13.7]

Topic		Replies	Views
How to bypass the SSL error Gemini API api	1	1433	May 18, 2024
SSL certification verify failed error Gemini API help_request	3	1153	October 7, 2025
Gemini API Connection SSL error Gemini API	11	3128	January 15, 2025
Gemini API not working Gemini API ai , model-code	1	945	October 12, 2024
Ssl_transport_security.cc:1659] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED Gemini API ai , model-code	1	759	July 25, 2025