Certificate seems granted by fortigate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://pronostiek.volar-it.be

I ran this command:

It produced this output:

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): W10

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Win acme V2


I assigned a new certificate on my webserver. All websites running there work on my internal network. But once outside my own network I got error messages concerning the root CA.
Screenshots as attachments…
I don’t really understand what’s going on or what I’m doing wrong…

Could you please help me?

Thanks in advance!

Did you configure port the port forwarding on your router/firewall?

(How did you obtain your certificates? DNS challenge?)

I used the Win-Acme v2 client which indeed did a challenge with a TXT record in my DNS.
There is no port forwarding active.
My firewalle uses HAproxy to direct the traffic to the right destination.
HAproxy states my sites are available and they actually are inside my network…

There should be some port forwarding (or some externally exposed haproxy) if you want your websites to be visible from outside your network…

That’s right. My HA proxy is configured with a frontend and backend configuration.
So my frontend evaluates which pattern and port is visited. Then the appropriate backend gets applied.
In this case: my frontend will determine HTTPS is used, on port 443 and ‘pronostiek.volar-it.be’.
It will send that traffic to the appropriate webserver on port 443 and right hostname…

yes, but ports 80 and 443 on your router/firewall need to be forwarded to your haproxy frontend, otherwise only local clients will ever be able to reach your websites.

HA proxy is on my firewall which gets it’s traffic from my ISP.
The whole setup worked fine, untill I replaced my certificates… Very strange!

I get some website served by IIS now.

% curl -IL https://pronostiek.volar-it.be/
HTTP/2 200 
cache-control: private
content-length: 86604
content-type: text/html; charset=utf-8
server: Microsoft-IIS/10.0
x-aspnetmvc-version: 5.0
x-aspnet-version: 4.0.30319
x-powered-by: ASP.NET
date: Mon, 03 Aug 2020 19:36:41 GMT

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.