My certificate sometimes appears attached to 3rd party websites?

My domain is: csb.sh

I ran this command: Opened another website in my browser from within my home network (where the domain is hosted).

It produced this output: The random website (maybe one in 50 page loads) lands on a “Warning” browser page, and my csb.sh cert is shown as the site’s cert.
Initially looks like this:

My web server is (include version): nginx

The operating system my web server runs on is (include version): Has occurred on linux/firefox and android browsers.

My hosting provider, if applicable, is: Home nginx server, domain through namecheap.

I can login to a root shell on my machine (yes or no, or I don’t know): yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

# certbot --version
certbot 0.38.0
1 Like

New users can only post one image.

And after waiting a minute and refreshing, the page loads and the cert shows:

1 Like

It just happened with aol.com

The browser’s warning page:

1 Like

And if I click “view certificate” it shows:

I refreshed the warning page a few times and eventually made it to the actual AOL homepage.

1 Like

It “looks” like something local to your system or network is proxying your web requests…
[SSL inspection?]
Check your proxy settings, your anti-virus, from other systems in that network.

1 Like

Thanks @rg305.

I’ve been trying to look through my little home website setup, but haven’t found the issue yet.

If anyone knows of a tool or test I can use instead of randomly loading webpages until one fails I’d appreciate it.

1 Like

Hi @ctag

do you have some wrong entries in your hosts file?

So aol etc. are using your local ip address?

1 Like

Are you getting those messages only from within your network?
Are you getting them on more than one device/system?

1 Like

@JuergenAuer I don’t have any hosts file changes, but I am using my home router as my DNS server so that it can resolve hostnames to local IP addresses.

@rg305 I am only having this issue on my local network. It’s happening across all of the computers (my housemate’s as well, which I haven’t configured/touched at all).

Thank you both!

1 Like

???

Hostnames to local ip addresses? Are you sure that dns service isn’t buggy / the problem?

1 Like

Which DNS servers are you using?
Test DNS requests against them.
Like:
dig A aol.com
then
dig A aol.com @8.8.8.8
dig A aol.com @1.1.1.1

[or replace dig with nslookup for Windows systems]
nslookup aol.com
nslookup aol.com 8.8.8.8
nslookup aol.com 1.1.1.1

1 Like

That wouldn’t surprise me at all, but I want to know that it is the issue and correct it somehow.

@rg305 I’m using 209.222.18.222, 208.222.18.218, and 8.8.8.8 as DNS servers on my router.

I found another webpage that didn’t load: npr.gov, and then ran dig on it.

 [berocs@bns-kharselim ~]$ dig A npr.gov

; <<>> DiG 9.14.9 <<>> A npr.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25296
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;npr.gov.			IN	A

;; Query time: 22 msec
;; SERVER: 192.168.13.1#53(192.168.13.1)
;; WHEN: Mon Jan 20 10:51:19 CST 2020
;; MSG SIZE  rcvd: 36

[berocs@bns-kharselim ~]$ dig A npr.gov @8.8.8.8

; <<>> DiG 9.14.9 <<>> A npr.gov @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54160
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;npr.gov.			IN	A

;; AUTHORITY SECTION:
gov.			1799	IN	SOA	a.gov-servers.net. nstld.verisign-grs.com. 1579518602 3600 900 1814400 86400

;; Query time: 61 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jan 20 10:51:29 CST 2020
;; MSG SIZE  rcvd: 111

So it looks like my home router isn’t returning anything? That doesn’t make any sense to me.

1 Like

It’s starting to make sense to me.

You need to update the DHCP server to handout only functional DNS IPs.

Your statement:

Implies you would need to use your router as a DNS server to get to those IPs.
Routers are routers.
Use DNS servers for DNS.
Bypass the router (for DNS) and use those same IPs in your DNS clients.

1 Like

Thanks rg305. Originally I had the router set up to just resolve local DNS, but systemd rotates through DNS servers, so half the time local hostnames would resolve and half the time they wouldn’t. Then I switched to using dnsmasq on the router to manage local and remote lookups.

I’m not sure if that’s the right way to do things though.

1 Like

DNS has gotten more complicated in recent years.
Today, if you have 3 DNS server, your client will send out 3 DNS requests.
Whichever answers first is taken as gospel (regardless of however it may conflict with any other reply).
So the sense of primary/secondary/etc. DNS has gone out the window.
All DNS systems would need to answer ALL DNS requests.
If you need local DNS resolution, you won’t be able to find that consistently when included Internet DNS IPs.
So you will need to run an internal DNS system that can provide local and Internet DNS resolution.
[and just use that single IP for DNS - if yo uneed redundancy, you will need to add another similar one]

1 Like

Thanks rg305, it looks like I have some more learning to do. I started to take down my dnsmasq service, to replace with hosts entries, and then remembered that one of the reasons for trying to do this split-dns in the first place is so that a URL to my RSS reader in an app on my phone will resolve both inside and outside of my home network. Android won’t let me pick a DNS server, so my only option appears to be making the LAN dns server handle these local names.

I think I did find a clue to what’s going wrong with dnsmasq though:

Jan 20 17:23:55 bns-wrt daemon.info dnsmasq[1808]: query[A] npr.gov from 192.168.13.130
Jan 20 17:23:55 bns-wrt daemon.info dnsmasq[1808]: cached npr.gov is NXDOMAIN
Jan 20 17:23:55 bns-wrt daemon.info dnsmasq[1808]: query[A] npr.gov.csb.sh from 192.168.13.130
Jan 20 17:23:55 bns-wrt daemon.info dnsmasq[1808]: config npr.gov.csb.sh is 192.168.13.13
1 Like

OK, so I looked up NXDOMAIN means the name cannot be resolved… Turns out npr.gov doesn’t exist, it’s npr.org, which resolves just fine. Whoops.

2 Likes

A friend talked the networking situation over with me and recommended I stop trying to use split-dns and instead do “nat hairpinning” to allow loopback to the external IP from within the network. To that end I disabled dnsmasq in dd-wrt and turned off “Filter WAN NAT Redirection.” So far so good, though this does mean I’ve given up on resolving local hostnames within the network. Instead I’m just going to set the IPs of the ones I care about in my SSH config.

1 Like

How is this any different/better than using DNS.Google?

If you can provide real world DNS with IP entries for your “local hosts”, you can use Internet DNS and hairpin, or NOT hairpin, to them.
That is, if say “a.local.share” can be accessed via “localshare.real.name” (which resolves to local IP) you don’t need hairpinning.
If say “a.local.share” must be accessed via “localshare.real.name” (which resolves to a real Internet IP) you will need hairpinning.
[In either case you don’t need a DNS for “local hosts”]

1 Like

Sorry, I’m not doing very well explaining this.

What I mean is that with this new setup I don’t have private IPs resolved to their hostnames anymore, inside the LAN. I was using the dnsmasq to turn ssh mycomp.csb.sh into the correct local IP. So, separate from public/real DNS.

1 Like