i am using fortiauthintacator to allow access to my guest and BYOD networks and when a user attempts to get to the sign in page they are getting a certificate error.
net::err_cert_authority_invalid
i assume this is because most everything is blocked
I have added *.lencr.org and r11.o.lencr.org
to the exceptions but that is not helping any ideas what else may need to be added to accept the lets encrypt certificate to authenticate
thanks
Can you show us the certificate that gets sent to the browser when this happens?
it is getting the proper cert from the server jsut cant authintacate it on my guest netowkr. on an open network it authintacates just fine. i was jsut hoping some one knew what addresses the device would try to hit to authintacate it
When this happens the certificate is usually fine and your guest network is performing some kind of MITM attack to show its captive portal or to perform some kind of TLS inspection.
It's easy enough to see what certificate the browser gets, to see if it's a Let's Encrypt public certificate or some kind of private/self-signed CA.
You can check if there's a captive portal by opening http://http.badssl.com/
yes it is a captive portal. that is what the cert is on. the certificate the device gets is the letsencrypt cert but the device can not verify the cert
If the certificate is correctly installed (no incomplete chain or wildly out of sync clock, mostly), there is no way the device can verify only some Let's Encrypt certs.
It would have the same issue with all of them.
just figured it out I was thinking it was a firewall policy issue because that is how it presented but it was a captive portal exception. they are basically the same thing just in different places on the firewall. I have *.lencr.org as a firewall policy exception but not as I though a captive portal exception once i added it it works
thanks
You should check if you're serving complete chains.
You should only need to connect there for additional downloads and revocation checks, and the latter should produce a different error.