NGINX digital ocean some browsers aren't happy

santeko · October 22, 2018, 9:48pm

Everything is working on most browsers and platforms, but some folks are getting cert invalid messages. Here’s all my info. Please let me know what else I can provide and thanks in advance!!

My domain is: amphumanperformance.com and www.amphumanperformance.com

I ran this command:
sudo certbot --nginx -d amphumanperformance.com -d www.amphumanperformance.com
from: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04

It produced this output:
I ran the command a while ago, but it modified this file to:

$ cat /etc/nginx/sites-available/amphumanperformance.com

server {
	server_name www.amphumanperformance.com;
	return 301 $https://amphumanperformance.com$request_uri;    # redirect all www traffic to bare.


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/amphumanperformance.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/amphumanperformance.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {

	server_name amphumanperformance.com;

	location / {
		proxy_pass http://localhost:4000;       # site is served by angular SSR server on 4000
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection 'upgrade';
		proxy_set_header Host $host;
		proxy_cache_bypass $http_upgrade;
	}


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/amphumanperformance.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/amphumanperformance.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

server {
    if ($host = www.amphumanperformance.com) {
        return 301 https://amphumanperformance.com$request_uri;
    } # managed by Certbot


	server_name www.amphumanperformance.com;
    listen 80;
    return 404; # managed by Certbot


}

server {
    if ($host = amphumanperformance.com) {
        return 301 https://amphumanperformance.com$request_uri;
    } # managed by Certbot



	server_name amphumanperformance.com;
    listen 80;
    return 404; # managed by Certbot


}

My web server is (include version):

$ nginx -v
nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):

$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.1 LTS
Release:	18.04
Codename:	bionic

My hosting provider, if applicable, is:
Digital ocean.
I have A records for both www.amphumanperformance.com and amphumanperformance.com pointing to my droplet IP address
I have a screenshot but I'm not allowed to put more than image in

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
nope

The problem I’m seeing:
On most machines everything looks fine.
My cert comes up, Valid, Organization = Let’s Encrypt.
I have a screenshot but I'm not allowed to put more than image in

But some folks see this:
my one and only allowed screenshot:

Why do some people see the cert coming from Fortinet and not Let’s Encrypt as I see it on my machine? Any suggestions would be greatly appreciated!

JuergenAuer · October 22, 2018, 10:02pm

Hi @santeko

checking your two domains I don't see an error. There is no ipv6 address, only ipv4. Sometimes it happens that a domain has ipv4- and ipv6 addresses, but the ipv6 hasn't the correct certificate (wrong configuration). Some people use ipv6 -> wrong certificate. But this isn't a problem.

What happens if the user creates an exception? So he can see the content. Is the content correct or old?

Did you change your server / dns-provider?

Is Fortinet your provider?

PS: More images -> add replies.

santeko · October 22, 2018, 10:08pm

Hey @JuergenAuer, thanks for the prompt reply!

I only have ipv4 enabled in digital ocean

Should I enable v6? floating?

I’ll ask them to create an exception and see what they see. I also cannot reproduce the error but the team that does SEO for us is seeing some issues.

Thanks for the tip on adding more images, I’ll add those now with comments.

[EDIT] I’m not sure if Fortinet is my provider? I just used the certbot commands that the digital ocean guide provided. I find it weird that on my machine, the cert says its Organization is “Lets Encrypt” while on the machine that has the error, it says the organization is “Fortinet”

santeko · October 22, 2018, 10:09pm

Here’s what I see on my machine (correct certifications looking good)

santeko · October 22, 2018, 10:12pm

Here’s another shot of the error that some are finding:

JuergenAuer · October 22, 2018, 10:18pm

No. That was an explantation that an incorrect ipv6 is not your problem. Missing ipv6 -> no problem.

--

Fortinet (I've searched) - company with firewalls etc.

So it looks that there is a Fortinet Firewall which creates an own certificate -> not trusted.

Ask these users if they have a Fortinet Firewall. Perhaps something with a "deep inspection".

rg305 · October 22, 2018, 11:38pm

Do you use a Fortinet appliance?
It seems to be doing some HTTPS inspection.
I presume for inbound, or outbound, traffic that it should not be doing - or is improperly configured to do so.

Are all users having this problem?

santeko · October 22, 2018, 11:52pm

I’m not personally using it but the people reporting the issues might be. Waiting to hear back from them.

rg305 · October 22, 2018, 11:57pm

A zoomed in detail of your first image posted:

santeko · October 23, 2018, 12:11am

Yea, totally, I have no idea why that’s getting used. On every machine I test I get the cert as coming from Organization = “Let’s Encrypt”. I can’t replicate it and so I can’t fix it

rg305 · October 23, 2018, 12:18am

Exactly. The user complaining need to pay a visit to their IT department.
They are inspecting their own users’ outbound TLS connections; but haven’t done it correctly.

santeko · October 23, 2018, 4:48pm

Are there any steps I can take to help reduce this? Any thoughts on why this cert is being caught by their firewall and not other certs? I’m getting asked to move over to a paid SSL provider as they think this will help.

JuergenAuer · October 23, 2018, 4:57pm

This is irrelevant.

The problem is, that the firewall want's to hack the connection to check it. So the firewall creates an own certificate, connects your site, decrypts the content, checks it, encrypts the content again (with the own certificate) and sends it to the client.

So the client sees the wrong certificate.

My personal opinion: I am using HSTS = Http Strict Transport Security with a long duration and my main domains are in the Google preload list.

https://hstspreload.org/

So the browser knows: Only https is allowed, no exception.

rg305 · October 23, 2018, 9:21pm

NO. This is completely out of your control.
Their own IT department is causing this problem to them(selves).

santeko · October 23, 2018, 9:35pm

@JuergenAuer thanks for the suggestion, I’ve added HSTS and submitted the domain to Google’s preload list.

@rg305 I 100% agree and would like to just wash my hands and leave it but they’re saying that other pages show up just fine though so they’re insisting it’s on me. Sounds like adding HSTS is helping in most cases.

Thanks for the continued support!

system · November 22, 2018, 9:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.