SSL validation error on subscriptions with custom SSL certs

Issue

When trying to pull the databases down in IDE, we get this error:

In CurlFactory.php line 211: cURL error 51: SSL: no alternative certificate subject name matches target host name 'xxx.[devcloud/enterprise-g1].acquia-sites.com'

The issue is that the process that tries to pull down a database (via an acli pull command), does so with a secure tokenized download URL on your default Acquia domain. And the problem is, the request to your default Acquia domain is running into this known issue: https://docs.acquia.com/cloud-platform/known-issues/#self-service-ssl-certificates-overwrite-acquia-s-default-certificate

Self-service SSL certificates overwrite Acquia’s default certificate
When requesting the Acquia default domain, the subscriber’s self-service SSL certificate loads instead of the Acquia SSL certificate that covers the Acquia default domains. This behavior causes an SSL error in the browser. Install and activate two or more custom certificates on any affected environment to remove this error on the Acquia default domain.

Affected Applications/Limitations

This issue is occurring with ACP and ACSF customers

Resolution

We have found the following three workarounds to be successful but each has its own drawbacks -

• Temporarily disable any custom SSL certificates via the Acquia Cloud UI on an environment before running acli pull — obviously this is only workable for pulls from a non-production environment. And after setting up cloud IDE, you can activate the cert again.
• Make the pull from a dev or test environment that doesn’t have a custom SSL installed in the first place — depending on the workflow this might be the easiest.
• Manually download the database backup and run lando db-import — slower and you have to place your db dump in a directory INSIDE of the Lando root directory (and add it to git-ignore)