LetsEncrypt Installed on Nginx But a Cisco Cert is Being Served Up

Last night I finally created certificate for my forum subdomain and after I configured my NGINX, it seemed to work fine, i.e. I was able to access the forum under https://forum.mydomain.net. This morning, however, all of a sudden, I am getting NET::ERR_CERT_AUTHORITY_INVALID under the same URL. And even stranger is what I see in the details of the error message:

Your connection is not private

Attackers might be trying to steal your information from forum.mydomain.net (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID
Subject: forum.mydomain.net
Issuer: Cisco Umbrella Secondary SubCA ams-SG
Expires on: Apr 7, 2017
Current date: Apr 4, 2017
PEM encoded chain:

Why is the certificate from Cisco? And why is it invalid when I am trying to access the very domain for which it was created?

Here are some more details:

I ran this command:
letsencrypt certonly -d forum.mydomain.com --manual --preferred-challenges dns

It produced this output:
Don't have the exact output anymore but the certificate was successfully created. As verified here:

My operating system is (include version):
Ubuntu 16.04

My web server is (include version):
nginx/1.10.0 (Ubuntu)

My hosting provider, if applicable, is:
Hetzner

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

Sounds like the certificate of a Cisco router, modem or firewall?

I have no idea what it is but it is not the certificate I have on my server so I am utterly confused why my browser is using it and where it comes from. Any idea how to troubleshoot this?

How is your server connected to the internet?

I’m not sure what you want to know here. It is a VPS hosted by Hetzner.

Cisco/OpenDNS Umbrella is a network security product. It generally works as a DNS filtering solution where it essentially blocks domain that are known to be responsible for hosting things like phishing or malware, though it can also be used to block certain categories of sites (adult, social media, etc.).

Umbrella can also act as a HTTPS proxy for domains that are not quite as malicious, but potentially so, to inspect the traffic in detail. I would guess that’s what’s happening here. When Umbrella operates in proxy mode, it uses a custom root certificate that is not trusted by browsers by default and would need to be installed manually. The certificate you’re seeing was issued by that root certificate.

Presumably the network you’re using when visiting your domain is configured to use Umbrella’s DNS servers. This can be done either on the network/firewall level, or through an app running on your device.

Either way, it’s highly unlikely to be related to your server or to Let’s Encrypt.

3 Likes

@tophee

if this is really driving you insane - which is seems to be

Please provide one really important bit of information.

What is your actual domain name.

If you are not willing to share this then the helpfullness others can be to you is limited.

Troubleshooting is a skillset and having to troubleshoot through others can be a pain.

Hence why one of the key questions that is always asked - what is your domain name

Andrei

3 Likes

To Clarify a bit more

@Osiris is asking a valid question

A question if you took time to answer would have produced valuable feedback

There are two reasons that you may be serving up a cisco certificate

A) You did not restart NGINX and it is still using an old certificate
B) Your provider is using SSL termination between your server and the edge
C) If B is correct then that could explain why you are seeing a cisco certificate

To confirm this -

Login to your server, open a browser and browse to https://localhost

View the certificate information in firefox and if your certificate is issued by LetsEncrypt then you know it’s not a server configuration and then it’s something upstream

You can then as Hetzner if they are doing any SSL termination and to exclude your site as you have your own ssl certificate

If you provide good information you will get very useful answers

Lots of clever people on this forum that want to see you succeed but you need to do your part :smiley:

Andrei

2 Likes

I very much appreciate everyone’s help here and when I said I’m going insane it was in no way meant as a criticism of the assistance y’all are providing. What has mainly been driving me nuts is a combination of cached 301 redirects, HSTS, and my insufficient understanding of these which has somehow led to a situation where my browser is not only not requesting the URLs I’m telling it but also showing me certificates on my server that are not there. I have never experienced anything like it in 25 years of internet usage. So that’s why I’m particularly happy to be able to get help here.

The simple reason I never provide the real domain name in public forums is that I don’t want it to be indexed by search engines. I will send you the domain via PM. (Although I’m not sure the issue can currently be reproduced since I think I managed to fix it - though I would still like to understand exactly where this Cisco cert came from and what I did wrong to get me there)

There is also a more principled reason why I think it is often better if people report their issues using generic domain names: it forces more detailed documentation in the actual post, making it easier for other readers to follow the discussion, especially weeks or years later when the indexed domain is either working fine or gone.

I believe I answered those questions/asked for a specification of one of them.

I restarted NGINX more often tban I can count. [quote="ahaw021, post:8, topic:31319"]
B) Your provider is using SSL termination between your server and the edge C) If B is correct then that could explain why you are seeing a cisco certificate

To confirm this -

Login to your server, open a browser and browse to https://localhost

View the certificate information in firefox and if your certificate is issued by LetsEncrypt then you know it's not a server configuration and then it's something upstream
[/quote]

I currently only have access to my server via the terminal (putty) but I assume I can do this test also with lynx. Will try tomorrow.

Interesting! But I have no clue how exactly Umbrella works, who employs it and what it's supposed to do. When you say

do you mean my organization's LAN, my ISP or the network of the VPS hoster? And why would any of these use a software that produces such a nonsense? Or is Umbrella simply not working so well?

Are you saying that I did nothing wrong and someone else else is responsible for Umbrella misbehaving?

hi @tophee

thanks for sharing domain via private message

Your site appears to be working fine

Not sure if something has changed or maybe there is something funny going on with the machine you are testing from.

Andrei

1 Like

It also has a farily solid ssl configuration

https://www.ssllabs.com

Andrei

Yes, and I even got an A+ earlier before I set HSTS to 0 days in order to get rid of confusions related to that. Will turn it back on as soon as I know that things are running smoothly.

Did you also check the forum subdomain? It was that one that I was struggling with the most...

It would most likely be your organization's LAN. It's unlikely to be at the ISP level. Umbrella is working as intended with the certificate you're seeing. For some reason, it has decided that the traffic to your site is suspicious and needs to be looked at in detail, and that's done by intercepting the traffic with a custom root.

Pretty much, though it's not so much misbehaving and more like whoever is responsible for Umbrella in your organization forgot to ask you to install their root certificate.

2 Likes

Hi @tophee

yes your forum subdomain works as well

You have setup the SAN certificate correctly

Andrei

1 Like

You can get these kinds of DNS interceptions for your domains (with Cisco Umbrella certs) not only if you are using Cisco Umbrella, but also with the free consumer version of their recursive DNS service better known as OpenDNS.

https://umbrella.cisco.com/products/features/opendns-cisco-umbrella

You might want to look into why OpenDNS/Umbrella are flagging your domain (there are many possible reasons). You can whitelist it for your own networks, but others using OpenDNS/Umbrella may have difficulty reaching your domain.

It’s possible that your website is legitimately covered by some OpenDNS/Umbrella category (e.g. adult content) and in that case adding a local whitelist is all you can do, but if they are categorizing your domain as something that it is not, you should contact them and try to get that removed.

You can also eliminate these DNS redirects for your own networks by switching to another public DNS resolver service.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.