Problem with WIND 3g connection and Let's Encrypt certificate

Good morning everyone
I have a site with a Let's Encrypt certificate that works regularly if it is surfed on WIFI or a non-WIND cellular network.
If I use the WIND H3G data network, it is reported that it is not secure and that it does not support https. This is proven with several phones and all with the same behavior.
Is it a problem with the certificate? Hosting?
Thanks to those who will be able to give me a hand
Alessandro

My domain is: teatrosanteodoro.it

1 Like

Please tell us what certificate is served when you visit the website from the Wind3 network, ie find a Linux machine or use WSL or install termux from f-droid.org to run this command:

openssl s_client -connect teatrosanteodoro.it:443

And tell us the output.

1 Like

Or, more simply, tell us what the browser is saying the error is.

I was going straight to powerful tools with no reason.

1 Like

This is the reponse. Thank you

openssl s_client -connect teatrosanteodoro.it:443
CONNECTED(00000003)
depth=2 C = US, O = "Entrust, Inc.", OU = See Legal and Compliance, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = See Legal and Compliance, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
verify return:1
depth=0 C = IT, ST = Milano, L = Rho, O = Wind Tre S.p.A., CN = sicurezza.windtre.it
verify return:1Certificate chain
0 s:C = IT, ST = Milano, L = Rho, O = Wind Tre S.p.A., CN = sicurezza.windtre.it
i:C = US, O = "Entrust, Inc.", OU = See Legal and Compliance, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 12 09:46:35 2022 GMT; NotAfter: Jan 10 09:46:35 2023 GMT
1 s:C = US, O = "Entrust, Inc.", OU = See Legal and Compliance, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
i:C = US, O = "Entrust, Inc.", OU = See Legal and Compliance, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 5 19:13:56 2015 GMT; NotAfter: Dec 5 19:43:56 2030 GMT
2 s:C = US, O = "Entrust, Inc.", OU = See Legal and Compliance, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
i:C = US, O = "Entrust, Inc.", OU = See Legal and Compliance, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jul 7 17:25:54 2009 GMT; NotAfter: Dec 7 17:55:54 2030 GMTServer certificate
-----BEGIN CERTIFICATE-----
MIIG2DCCBcCgAwIBAgIQERzz/KfGKaYjFmZygq9b6TANBgkqhkiG9w0BAQsFADCB
ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT
H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy
MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG
A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0y
MjAxMTIwOTQ2MzVaFw0yMzAxMTAwOTQ2MzVaMGUxCzAJBgNVBAYTAklUMQ8wDQYD
VQQIEwZNaWxhbm8xDDAKBgNVBAcTA1JobzEYMBYGA1UEChMPV2luZCBUcmUgUy5w
LkEuMR0wGwYDVQQDExRzaWN1cmV6emEud2luZHRyZS5pdDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANp5jq5NJ42Hz0mdxwv139jU5DPztRXhnAVf/GFh
agivfc0Qm4PxB3rsNxdpd7CgWPH3VYTek0ua7xowDLfxrtB5wf+Oqt/zneXrCPgM
2KnXCT5K/Loj5qh5vQawZF23t1T3PXNwQ2ElHVsAchjTzwYFIuTW8Tosp8v82P6z
40PahyLFpf7vxm8h0ZvGh30tnEnwFnJzmc7fyyQNK2v3lLOotsh+mD11Tn9O/mmZ
g+6ZNN0iofBIfENg/wZ+RbKnUY7odongin5inYsZqThze3/7K4fK7X1ZZ1He029c
IJxTLy4bTzucl/KSeiqvVxk51yWLBABFRTL//URzOfCf+LsCAwEAAaOCAywwggMo
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGAu6i+oo448ETWzbz+vJEKMwd2pMB8G
A1UdIwQYMBaAFIKicHTdvFM/z3vU981/p2DGCky/MGgGCCsGAQUFBwEBBFwwWjAj
BggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYIKwYBBQUHMAKG
J2h0dHA6Ly9haWEuZW50cnVzdC5uZXQvbDFrLWNoYWluMjU2LmNlcjAzBgNVHR8E
LDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L2xldmVsMWsuY3JsMDkG
A1UdEQQyMDCCFHNpY3VyZXp6YS53aW5kdHJlLml0ghh3d3cuc2ljdXJlenphLndp
bmR0cmUuaXQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjBMBgNVHSAERTBDMDcGCmCGSAGG+mwKAQUwKTAnBggrBgEFBQcCARYb
aHR0cHM6Ly93d3cuZW50cnVzdC5uZXQvcnBhMAgGBmeBDAECAjCCAX8GCisGAQQB
1nkCBAIEggFvBIIBawFpAHcAtz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXt
tJkAAAF+Ta6csAAABAMASDBGAiEAyCMG5OyxECdPFNDHiNcSW2zsmfkJ5l46wGQL
4FTDBUQCIQC/JAbLP8Mxlri+r1pem6Jqt6d31hR2Ow1JfnzGj1AdvgB1AFWB1MIW
kDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABfk2unNsAAAQDAEYwRAIgJJ1s
G+rZxg0KWCesq9148t3UWMJjXnoK20fBZhISrcACIHsVr7GJWT+xOVIhddZvFLiy
09uwFSblxi4oNgR0M/ulAHcArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvc
gooAAAF+Ta6csQAABAMASDBGAiEAoZ2bd8l5dAk6moGERfRcKXWwI76uz3JbR6Ga
HW70i4QCIQCFQ7sPxkGDZ2sxHugLAR7WUu7sLbQ78k7/+m46fO7nfzANBgkqhkiG
9w0BAQsFAAOCAQEAiK3a/ZM2cUSSBumDqFlo+B5nfODVHsIzoZCWhSbYBQZnv6Yq
/0r7kqesWTeUweWWbMAXh0TUqcPcA0d8R4FSmloJAajqhZtEjTe05i0vjk2JT0ln
py8zOVh4KObGRy7Mhai6zFGvhWrwmd25j+uoMkiyUWX6IokNehJ+QPuYmoSgMnt5
s4x9uEZ6JKphYNWy/9GFvmdD7zQEv1QZ5sMw4RdOWPUNkmPo39qcJZoSA+jCMwiq
YCoW4HbHB9dZWXLhE/W9eGRKxVNnYyhe3GyUhBAwg2lmE3vZHaKW2R7UxvfjgnfZ
YEeUhsvW374/Nf+ZgTA/GV7G9+dM2rBngx4oMQ==
-----END CERTIFICATE-----
subject=C = IT, ST = Milano, L = Rho, O = Wind Tre S.p.A., CN = sicurezza.windtre.it
issuer=C = US, O = "Entrust, Inc.", OU = See Legal and Compliance, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1KNo client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bitsSSL handshake has read 4659 bytes and written 451 bytes
Verification: OKNew, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: D208D422264D4807BAD09C568C95F1850DC4AE39CCE6EB1D04EA53595E25409F
Session-ID-ctx:
Master-Key: D84AFA76890EF374750065957B45F19F6DD7A29E5D3FFC16DC4565C012277AC50DF0A6565610A62C815E4A6573F37AF8
PSK identity: None
PSK identity hint: None
Start Time: 1646230910
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes

You need to add -servername teatrosanteodoro.it otherwise you get the default server.

A nice online tool to view certs instead of openssl is:

2 Likes

It's what I suspected, Wind3 is intercepting your website and filtering it.

You see a TLS error because they don't have a valid certificate for your website. You should ask them why they're blocking your website.

Also, do you recognize the accountservergroup.com domain name?

The default behavior of openssl adds it automatically since version 1.1.1.

-servername name

Set the TLS SNI (Server Name Indication) extension in the ClientHello message to the given value. If -servername is not provided, the TLS SNI extension will be populated with the name given to -connect if it follows a DNS name format. If -connect is not provided either, the SNI is set to "localhost". This is the default since OpenSSL 1.1.1.

Even though SNI should normally be a DNS name and not an IP address, if -servername is provided then that name will be sent, regardless of whether it is a DNS name or not.

This option cannot be used in conjunction with -noservername .

2 Likes

accountservergroup.com it is connected with the hosting site5.com.
And how could I explain to wind3 customer care this problem??? I 'll try

SSL checker says:

The certificate is installed correctly.

Information about the certificate

DV

This server uses a Domain Validated (DV) certificate. No information about the site owner has been validated. Data is protected, but exchanging personal or financial information is not recommended.

Common name: teatrosanteodoro.it
SAN: teatrosanteodoro.it, www.teatrosanteodoro.it

Valid from: 2021-12-30 08:56:07
Valid to: 2022-03-30 08:56:06

Certificate status: Valid
Revocation check method: OCSP

Ah, I did not see the version of openssl that they were using.

2 Likes

anyway thanks a lot to both of you!!!

1 Like

"State bloccando il mio sito, mi dite perché?"

1.1.1 is not that new. :smiley:

1 Like

You would be surprised how often we see older versions.

2 Likes

Yeah, 2018 is not old either.

1 Like

And they will try to sell me a new connection service with 10Gb Data!!

Many (all?) Fedora, CentOS, and RHEL distros have 1.0.x and back-port security fixes but leaving the features otherwise as is. My current AWS EC2 is RHEL for example and is at 1.0.2k. (a version 1.1.1 is available on the side but is used with openssl11)

2 Likes

Yes, they will try.

Why are you hosting your website in the US? Each http request will have to go through an undersea cable from your users in Italy.

Fedora shouldn't, it's released every 6 months. I'm kinda debian/ubuntu-centric.

2 Likes

I stand corrected :slight_smile: (I was guessing since it was upstream and we don't see Fedora as much as CentOS and RHEL). This came up a lot last fall when we were dealing with expiry of DST Root CA X3

@eddymouse Sorry to sidetrack your main issue which is as 9peppe describes

2 Likes

yes I know. And they don't even offer an SSL certificate included in the package.
At the end of this year We Will move to Serverplan in Italy...

I sent a PEC to Wind and crossing fingers... Thank you for your help...

2 Likes

There are interesting hosting companies in France and Germany too. I often find Italian ones to be too expensive.

2 Likes

Any to suggest?