I'm getting this not secure issue when visitors visit my site from NHS (National Health Service) organisations - but proving very hard to debug or replicate. Anyone able to help?
Welcome to the Let's Encrypt Community! 
That's not the certificate I'm seeing. 
Let me do some more digging... 
2 Likes
2 Likes
Leaving aside the utter and complete lack of any apparent connection between this question and Let's Encrypt, "Gateway CA" sounds an awful lot like a MITM proxy. The eight-day cert lifetime raises eyebrows as well. I didn't know Cloudflare did this, but...
4 Likes
Maybe something to do with the different IP addresses returned by the dns3 and dns4 vercel DNS servers?
Your domain CNAMEs to 8af2c797ce4cb1af.vercel-dns-017.com
See: www.usecitizen.co.uk | DNSViz
I can reproduce that from my own test server. Note that I am not expert with these systems but it does seem odd that ns3 and ns4 behave different than ns1 and ns2.
dig +noall +answer A 8af2c797ce4cb1af.vercel-dns-017.com @ns3.vercel-dns-017.com
8af2c797ce4cb1af.vercel-dns-017.com. 300 IN A 216.198.79.65
8af2c797ce4cb1af.vercel-dns-017.com. 300 IN A 64.29.17.65
dig +noall +answer A 8af2c797ce4cb1af.vercel-dns-017.com @ns3.vercel-dns-017.com
8af2c797ce4cb1af.vercel-dns-017.com. 300 IN A 216.198.79.1
8af2c797ce4cb1af.vercel-dns-017.com. 300 IN A 64.29.17.1
But, I agree with @danb35 this doesn't look related to getting or using Let's Encrypt certs. @gusdudey2k you should probably work with your service providers for an explanation.
4 Likes
Hmm, ok thank you for your responses, a very active community! Vercel directed me here...
1 Like
That smells like Cloudflare Access ZTNA to me:
You should talk to your IT team who manage your computer, assuming they have configured that for you.
Vercel is sorta correct in that it has nothing to do with them.
4 Likes
But sorta a lot incorrect that it has anything to do with Let's Encrypt 
4 Likes
The Cloudflare Gateway certificates shown in the screenshot are used by Cloudflare's WARP service (maybe also other products, only know about WARP) if HTTP traffic filtering is enabled:
A certificate error shouldn't normally appear as the WARP client installs a custom root for this purpose. But if that didn't occur (or didn't work, or was removed) then that error will appear, yes.
7 Likes
Yeah, but the actual site has a Let's Encrypt cert, so I can see how they'd get to "talk to Let's Encrypt" from the problem of "your browser doesn't trust the cert"
6 Likes
@mcpherrinm and @Nummer378 are right.
This is a Secure Web Gateway component of Cloudflare One product, dedicated to protect the employees' devices. The "Gateway CA" is a root certificate generated for each customer's deployment uniquely.
This "Gateway CA" root certificate should be deployed by organization admins to employee's computers, either through their native operating system mechanism, or WARP client can be configured to do it.
Try restarting the browser/computer, and if it doesn't help, then contact your admin.
5 Likes