Compare a verification error using service_identity:

<VerificationError(errors=[<DNSMismatch(mismatched_id=<DNS_ID(hostname='pancakes.com')>)>])>

to the corresponding request made by requests:

SSLError(SSLError(CertificateError("hostname 'pancakes.com' doesn't match either of '*.potato.com', 'potato.com'",),),)

In the second case it's trivial to actually tell what the mismatch is from just the exception repr.

(names have been changed to protect the guilty.)

Hm, VerificationError sums up conflicts because it potentially can be more complicated du to other types of IDs (e.g. https://github.com/pyca/service_identity/blob/master/tests/test_common.py#L80 ).

Would it be helpful to you if I added an ids field that were attempted to be matched? I can also add a successes field with all IDs that matched but it seems rather excessive…