Not working in Russia?


#1

Hello guys,

New here, but I’ve used Let’s Encrypt for a while.

I have a Digital Ocean droplet with Debian 9 / Nginx, and I used certbot to create an SSL certificate for one of my website.

The certificate is working fine on my side and on every device. It’s doing fine on SSLlabs too. But a friend of mine tells me that it’s not working for him. He lives in Russia. He ran some tests and it’s giving those results:

  • Safari / Chrome, home connexion, no VPN: not working
  • Chrome, home connexion, no VPN, private mode: not working
  • Chrome, 4G connexion, no VPN: not working
  • Safari / Chrome, home connexion, using a VPN with a russian proxy: not working
  • Safari / Chrome, using a VPN with a german proxy: working fine
  • Safari / Chrome, using a VPN with a french proxy: working fine
  • Safari / Chrome, 4G connexion, using a VPN with a russian proxy: not working
  • Safari / Chrome, 4G connexion, using a VPN with a french proxy: working fine

I coulnd’t retrive the full infos of the “not working” situation. Depending of the browser, it’s just saying that the website is not safe, with the red lock and all. My friend can see the other websites where I’ve used certbot just fine.

:confused:

Thanks for the help!


#2

If your traffic is being intercepted, you can find more information about who is responsible by checking what certificate is being offered:

openssl s_client -connect helloworld.letsencrypt.org:443 -servername helloworld.letsencrypt.org -showcerts 2>&1 | openssl x509 -noout -subject -issuer -serial

Replace helloworld.letsencrypt.org (twice) with your domain.


#3

Thanks for the answer. So, I get that:

Using my VPN:
subject= /CN=s***.t***
issuer= /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
serial=03C33C4A8586F58DC0F6CAA141C89C20507D

not using any VPN:
subject= /CN=fake/O=My Company Name LTD./C=US
issuer= /CN=fake/O=My Company Name LTD./C=US
serial=8C21761F14CA02AB


#4

Looks bad, a man in the middle.

May be a virus, the company, who owns the pc, an anti-virus or someone else.

Read this thread:


#5

:dizzy_face:

The PC is quite new. And he have the same problem on his cellphone, using a 4G connexion. So I guess it’s the russian government that is blocking. I have no idea why yet since the website is not even launched.


#6

It’s not a direct blocking. The man in the middle can’t insert a new root certificate (this is good), so the chain error is visible.


#7

Yes.

What would be the purpose of doing that?

There is two strange facts:

  • the problem happens only on this website. I have other website with the exact same configurations and it’s working fine;
  • the website is working fine in Chrome’s private mode.

#8

Sure? Did he check the certificate chain?

Perhaps there is an old fake root certificate -> no error, man in the middle works perfect :frowning:


#9

Yes, he is using other websites that have certbot certificates as well.

He sent me this:


#10

The site IP belongs to one of Digital Ocean, Inc subnets which is blocked by RKN, so the problem occurs when ISP redirects blocked ip to some block-info page, and of course certificate for this site in that case is not valid for this domain.


#11

I’ve checked and it’s true… DigitalOcean is banned in Russia…


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.