diff --git a/aiohttp/client_reqrep.py b/aiohttp/client_reqrep.py
index 3d7a90d6d2d..04c2072fa25 100644
--- a/aiohttp/client_reqrep.py
+++ b/aiohttp/client_reqrep.py
@@ -340,6 +340,9 @@ def update_headers(self, headers: Optional[LooseHeaders]) -> None:
         netloc = cast(str, self.url.raw_host)
         if helpers.is_ipv6_address(netloc):
             netloc = f"[{netloc}]"
+        elif netloc.endswith(":"):
+            # Strip trailing dot. See https://github.com/aio-libs/aiohttp/issues/3636.
+            netloc = netloc[:-1]
         if self.url.port is not None and not self.url.is_default_port():
             netloc += ":" + str(self.url.port)
         self.headers[hdrs.HOST] = netloc
diff --git a/aiohttp/connector.py b/aiohttp/connector.py
index 3d9f7b59f7b..2b3f4d2797a 100644
--- a/aiohttp/connector.py
+++ b/aiohttp/connector.py
@@ -1117,6 +1117,13 @@ def drop_exception(fut: "asyncio.Future[List[Dict[str, Any]]]") -> None:
             port = hinfo["port"]
 
             try:
+                server_hostname = None
+                if sslcontext:
+                    server_hostname = hinfo["hostname"]
+                    if server_hostname.endswith("."):
+                        # Strip trailing dot, certificates contain FQDN without dot.
+                        # See https://github.com/aio-libs/aiohttp/issues/3636
+                        server_hostname = server_hostname[:-1]
                 transp, proto = await self._wrap_create_connection(
                     self._factory,
                     host,
@@ -1126,7 +1133,7 @@ def drop_exception(fut: "asyncio.Future[List[Dict[str, Any]]]") -> None:
                     family=hinfo["family"],
                     proto=hinfo["proto"],
                     flags=hinfo["flags"],
-                    server_hostname=hinfo["hostname"] if sslcontext else None,
+                    server_hostname=server_hostname,
                     local_addr=self._local_addr,
                     req=req,
                     client_error=client_error,