Got NET:ERR_CERT_AUTHORITY_INVALID random

Hi , on the domain

https://crmcoopaudi.pksmartcloud.it/

sometimes I get NET:ERR_CERT_AUTHORITY_INVALID
when i'm working with chrome , edge or firefox

I have checked my domain with this service
https://www.ssllabs.com/ssltest/analyze.html?d=crmcoopaudi.pksmartcloud.it
and the overall rating is A

i have got similar result also with other tools

on the server I'm using caddy running in a container and the renew of the certificate is working without problems

in the directory /etc/ssl/certs i find the root CA "ISRG_Root_X1.pem"
and in the caddy data directory i find the certificate with the intermediate certificate R3
( concatenated )

-rw------- 1 root root 3.3K Apr 2 19:28 crmcoopaudi.pksmartcloud.it.crt
-rw------- 1 root root 166 Mar 7 14:57 crmcoopaudi.pksmartcloud.it.json
-rw------- 1 root root 227 Mar 7 14:57 crmcoopaudi.pksmartcloud.it.key

what other check i can do ?

thanks for any answer
regards

1 Like

After quite some time, when using openssl s_client, I'm getting a certificate from "Fortiguard SDNS Blocked Page". Do you have a Fortiguard firewall in place perhaps?

When I surf to https://crmcoopaudi.pksmartcloud.it/ though, I immediately get a working website with the Let's Encrypt certificate. So not sure what's going on here.

4 Likes

MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

I get the same, every time.

2 Likes

the host is on oracle cloud , i have to investigate if there is some firewall in front of the host .
could send me the complete command openssl s_client that yoh have used ?
thank you vey much for the response .

openssl s_client -connect crmcoopaudi.pksmartcloud.it:443

But currently even that command is returning a Let's Encrypt certificate.

Earlier it was this:

osiris@erazer ~ $ openssl s_client -connect crmcoopaudi.pksmartcloud.it:443
CONNECTED(00000003)
depth=0 O = Fortinet, CN = Fortiguard SDNS Blocked Page
verify error:num=18:self-signed certificate
verify return:1
depth=0 O = Fortinet, CN = Fortiguard SDNS Blocked Page
verify return:1
---
Certificate chain
 0 s:O = Fortinet, CN = Fortiguard SDNS Blocked Page
   i:O = Fortinet, CN = Fortiguard SDNS Blocked Page
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct 25 17:53:24 2022 GMT; NotAfter: Oct 22 17:53:24 2032 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDVTCCAj2gAwIBAgIUIvKkjoFsd90HhsQaM/ZCQHfAtLEwDQYJKoZIhvcNAQEL
BQAwOjERMA8GA1UECgwIRm9ydGluZXQxJTAjBgNVBAMMHEZvcnRpZ3VhcmQgU0RO
UyBCbG9ja2VkIFBhZ2UwHhcNMjIxMDI1MTc1MzI0WhcNMzIxMDIyMTc1MzI0WjA6
MREwDwYDVQQKDAhGb3J0aW5ldDElMCMGA1UEAwwcRm9ydGlndWFyZCBTRE5TIEJs
b2NrZWQgUGFnZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXSF1Bs
DbCm3OGUFOcH+IZBS7ExZ0OVjZSfLfNZOIbll40auCy9A0tQScU631oComGH9Kf2
4KKreKHpGz+5jKIl/gBa+ancjgG9YsK46vJGtxlfJSJXkYY78dnj5imimJcatRbD
H2jQUE5hyJFJNRkyMtTf4qwtAglFnzknLnbkOF3qp78woPkOK6gd3S3S7LIJwcS0
kivZeZtzMRTAWP9KIXD2eMWbcOISYZBQwzPVEIHBBjeA8Q7PlKEbJHGMZfPPzpx+
K0d6Z85soweo9bY9Znu01Wc2iiEoDNkhIk8ZRNlUw8Fq7MZZSa+2quaTxLkCBKke
9NJco75AYUs4iOsCAwEAAaNTMFEwHQYDVR0OBBYEFMFwt2lyv8ErIgOfzV9NMaAK
cfMBMB8GA1UdIwQYMBaAFMFwt2lyv8ErIgOfzV9NMaAKcfMBMA8GA1UdEwEB/wQF
MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIL0vJ2ki3QOEVhMpH1XZywZXRWDM2N+
ApMvxUUG2wF0X3CAK9ftdZB+3D+4S6Gjgkaf9xQObC/3Ep8jL+5U7xr1OBKOZq4h
01hE7c8R2WZ/aIVs5k/RuMmkPgwzhJMynYtZ62tO8KQb5/rcY20qBCeepLdLCNIp
x95GKvbCKMVrnqy5D7huFIJprCFiJVeKWcC2mVpztEB2hAhA8llzK55ZQOwebKlp
1t6ofSlYa7v83aESR2LNsYQLvuEorBm/IN7Rg3W+uNj9BTPhLfLw6muF2rAVmiQ5
GFUUlR+OaPYqDij+QGAgJ5JXkEee3b61djtC4+Oi60DC59mnAejXxN8=
-----END CERTIFICATE-----
subject=O = Fortinet, CN = Fortiguard SDNS Blocked Page
issuer=O = Fortinet, CN = Fortiguard SDNS Blocked Page
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1417 bytes and written 413 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 
    Session-ID-ctx: (...)
    Resumption PSK: (...)
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket: (...)

    Start Time: 1712161034
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: (...)
    Session-ID-ctx: 
    Resumption PSK: (...)
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket: (...)

    Start Time: 1712161034
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html
Content-Length: 313

<!DOCTYPE html>
<html>	
	<head>
	</head>
	<body>
		<iframe src="/fortiadc_error_page/default.html" frameborder="0" width="100%" scrolling="no" onload="function resizeIframe(obj) {
	    obj.style.height = obj.contentWindow.document.body.scrollHeight + 10 + 'px';
	  };resizeIframe(this)"></iframe>
	</body>
</html>40E796E4897F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../openssl-3.0.13/ssl/record/rec_layer_s3.c:307:
osiris@erazer ~ $ 
2 Likes

yes , it works randomly

I think the problem is this :man_facepalming:

thank you very mach for the support

1 Like