Firebase Hosting SSL Bug: My Site Is Still Serving a Bank's Certificate

Published April 4, 2026 | Updated live as investigation continues

Status: STILL BROKEN

Last checked: April 4, 2026, 1:54 PM CDT

buylandfl.com is still serving unified-wealth.solerabank.com certificate after migrating to a new Firebase project and waiting for certificate provisioning.

TL;DR: Multiple Firebase Hosting domains are serving wrong SSL certificates. This isn't a "wait for provisioning" issue. I've verified with OpenSSL that my domain is being served the exact same certificate (same serial number) as Solera National Bank's wealth management portal. A separate Florida real estate site is being served a Dutch domain's certificate. This is actively happening right now.

The Evidence

I'm not speculating. Here are the actual certificate details I pulled today using OpenSSL:

Domain Requested	Certificate Served	Cert Date	Serial
buylandfl.com (my site)	`CN=unified-wealth.solerabank.com`	Mar 22, 2026	`5DDE25...99C3`
unified-wealth.solerabank.com (actual bank)	`CN=unified-wealth.solerabank.com`	Mar 22, 2026	`5DDE25...99C3`
southfloridawaterfront.homes	`CN=www.rkhn.nl`	Mar 24, 2026	`6B4532...39EC`
www.rkhn.nl (Dutch domain)	`CN=www.rkhn.nl`	Mar 24, 2026	`6B4532...39EC`

The serial numbers match exactly. This proves that buylandfl.com is being served the literal same certificate as Solera Bank's portal. This isn't a SAN (Subject Alternative Name) situation where multiple domains share one cert. This is SNI routing returning the wrong certificate entirely.

How to Verify This Yourself

# Check what certificate any domain is serving:
openssl s_client -servername buylandfl.com -connect buylandfl.com:443 2>/dev/null | \
  openssl x509 -noout -subject -serial

# You should see your domain. If you see someone else's, you have the same bug.

What I've Already Tried

This isn't a "just wait for provisioning" issue. Here's what I've done:

Created entirely new Firebase project (buylandfl-prod, replacing florida-land-buyers)
Updated DNS TXT record to hosting-site=buylandfl-prod
Completed domain verification in Firebase Console (shows green checkmark)
Firebase shows "Minting certificate" status
Deployed fresh to new project
Waited hours (documentation says 15-60 minutes typical)

The site content loads fine via HTTPS (if you bypass the cert warning). The wrong certificate persists.

The Pattern

All affected domains I've found share these characteristics:

Hosted on Firebase Hosting
Resolve to Firebase's shared IP: 199.36.158.100
Certificates issued by Google Trust Services (WR3)
Started around March 22-24, 2026

This looks like a bug in Firebase's SNI-based certificate routing. When a browser connects and says "I want buylandfl.com," Firebase's edge servers are returning the certificate for a completely different domain.

Impact

Browser warnings: "Your connection is not private" / NET::ERR_CERT_COMMON_NAME_INVALID
Lost traffic: Most users won't click through security warnings
SEO damage: Search engines don't like SSL errors
Trust issues: My visitors see "Solera National Bank" in the certificate

What Firebase Says (vs. Reality)

The official Firebase response to "wrong domain in certificate" issues is:

"Firebase Hosting certificates cover many domains (as SANs)... If it's newly provisioned, your domain may not have been added right away - wait a few hours."

This doesn't apply here. I'm not seeing a shared SAN certificate that's missing my domain. I'm seeing a completely different domain's certificate with a completely different serial number. This is not the documented behavior.

Timeline

Date	Event
Mar 22, 2026	Solera Bank cert issued (this is what I'm being served)
Mar 24, 2026	rkhn.nl cert issued (what southfloridawaterfront.homes is being served)
Mar 29, 2026	My organic traffic drops (in hindsight, SSL errors started)
Apr 3, 2026	Discovered the issue during analytics review
Apr 4, 2026 2:30 AM	Created new Firebase project, migrated DNS
Apr 4, 2026 4:28 AM	Domain verified, "Minting certificate" status
Apr 4, 2026 1:54 PM	Still serving wrong certificate (11+ hours later)

Questions I Can't Answer Yet

How many domains are affected? (I've confirmed at least 3, suspect more)
Is this affecting all Firebase Hosting, or just certain edge servers?
Why hasn't Google acknowledged this publicly?
Is the bank (Solera) aware their certificate is being served to random websites?

Are You Affected?

If you're on Firebase Hosting and seeing wrong SSL certificates, I want to document this. The more affected sites we can identify, the harder this is for Google to ignore.

Contact: info@buylandfl.com

Include: your domain, what certificate CN you're seeing, when you first noticed it.

Updates

I'll update this post as the situation develops. Bookmark this page or check back.

April 4, 2026, 1:54 PM CDT: Still no resolution. Firebase Console shows domain as verified, but wrong cert persists. Reached out to other affected domain owners.

This post documents an ongoing issue. I'm a small business owner trying to fix my website, not a security researcher. If I've misunderstood something technically, let me know. But the certificate serial numbers don't lie.