Issue with Project Shield and SSL on some mobile devices

I have an Issue that some mobile visitors to iran-pedia.org can not reach the site and they are faced with a SSL cert warning. The thing that makes the issue more complicated is that I am using Project Shield as Ddos mitigation measure on top of my web sever.
My vhost configuration on the server seems ok as below:

SSLCertificateFile /etc/letsencrypt/live/iran-pedia.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/iran-pedia.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/iran-pedia.org/chain.pem

But still don’t know why some mobile users can not access the web site.
Any help?

My domain is: iran-pedia.org

I ran this command:

It produced this output:

My web server is (include version):Apache

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Hi @pakan

do you have the exact error message? A screenshot?

Checking your site there are no critical things visible ( https://check-your-website.server-daten.de/?q=iran-pedia.org#connections ). No certificate errors, no chain errors.

May be a firewall tries to act as a Man in the middle.

2 Likes

Some users inside Iran get this message error,


the general ssl error on web browsers and they also claim they’re not able to login to the website with VPN. I guess it has something to do with the SSL since I have to configure the SSL in two different servers, on web server and the Project Shield SSL certificate setup.
Certainly this is an issue with mobile users.

2 Likes

Is it possible to show the details of the certificate?

By clicking / touching on NET::ERR_CERT_AUTHORITY_INVALID?

  • It’s the Letsencrypt certificate and the parent certificate is unknown (or)
  • there is another CA visible, so it’s a completely different certificate

I don’t think it’s a problem directly with your server. Looks like a Man in the middle that tries to break the connection.

Are these users able to load other sites with Letsencrypt certificates? https://letsencrypt.org/ ?

3 Likes

Yes, it’s reasonably likely that the users are being faced with deliberate interference from their network operators. :slightly_frowning_face:

One possibility would be to ask them to save the certificates in their browsers. If you want to practice what the user interface looks like in different browsers, you can visit

https://badssl.com/

They have some deliberately misconfigured and invalid certificates, which can simulate the behavior that a user would encounter either when visiting a misconfigured site or when under attack by a network that tries to stop or intercept access to a particular site. You can then see what steps to take in your browser in order to download the certificate.

If the users experiencing the problem follow similar steps, they could share the exact certificate data with you or with another forum, which would then make it straightforward to confirm that the problem is being caused intentionally by a network operator.

4 Likes

There are two test tools:

https://tools.webservertalk.com/

https://viewdns.info/

both with an Iran Firewall Test.

But it looks, that

  • both use the same code,
  • second times out (with a Cloudflare error, very slow), first shows an error checking some domains,
  • nic.ir (domain registrator IRNIC) should work, but it doesn’t work.

Looks like the results are not really good.

2 Likes

Thanks Juergen,
This is the details of the certificate users get inside Iran:


Only some mobile users are faced with this issue. The main reason that makes me think that it is a SSL misconfiguration on my side are:

  • Even when these users activate VPNs or proxy, they are unable to reach the website although they can reach other filtered websites with their VPNs inside Iran.

  • Second reason to believe this is a SSL misconfiguration is on top of the server I have Project Shield installed to protect the website from DDOS attacks maybe the SSL configurations on Project Shield are not set properly.
    Can you please name me some other Letsenrypt crafted website to check.

1 Like

I don’t know how to configure such a VPN. May be that’s the problem.

Two tools from this forum:

https://letsdebug.net/ (from @_az )

https://check-your-website.server-daten.de/ (own tool)

Both with Grade A+, so they are preloaded (Browsers switch to https). Both with correct DNSSEC, so the DNS informations are signed.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.