Using VPN Causes My Website to Serve Wrong Certificate

I am using Comcast internet service and I have a home based website, robrobinette.com, which uses a LetsEncrypt issued SSL certificate. The webserver is a raspberry pi on my home network and my Comcast router forwards :80 and :443 to the webserver. When I use my Windows 10 computer from my home network and connect to CactusVPN it works but my website begins serving the CactusVPN certificate so I get a "cert common name invalid" error and traffic drops off the website. When I close CactusVPN the website error goes away after a couple of minutes. I have tried OpenVPN and SSTP Protocols and both cause the error.

Anyone know how to solve this problem? I can't use my VPN service without killing my website traffic.

Thanks in advance,

Rob Robinette

Hi @RobRobinette, welcome to the LE community forum

That sounds like a setting in the CactusVPN system.
[it might also be doing SSL inspection]

I suspect that all other inbound Internet connections are not being affected while you use CactusVPN on your Win10 PC.

can you paste that cactusvpn certificate for us?

@orangepizza Just connect to the site, you'll see a Sectigo certificate issued to *.cactussstp.com. I'm guessing that's the same Cactus cert OP is seeing.

@RobRobinette You say you have a Comcast router. Is your ISP also Comcast? Because if I resolve your hostname, I'm getting the IP address 5.182.209.58 which is an IP address of "SpectraIP B.V.", a Dutch company as it seems. And that IP may very well be used by CactusVPN as one of their endpoints? Or is your site actually hosted at SpectraIP? Which conflicts with the fact that your webserver is a RPi in your home network.

So maybe the router is using the CactusVPN (not the Win10 PC) ? ? ?
OR
The RPi is using the CactusVPN ? ? ?

Yes, the .cactussstp.com is the CactusVPN certificate. My website uses a LetsEncrypt ssl cert.

Yes, the 5.182.209.58 is a Dutch ip that CacutusVPN uses. Comcast is my ISP.

Why would using a VPN on my main computer affect my pi webserver's ssl certificate?

Not really: your webserver on the Raspberry Pi might be configured with a Let's Encrypt certificate and your local webserver might even be configured for the domain name robrobinette.com, but the ACTUAL hostname robrobinette.com does NOT point to your home network, but to an IP address of CactusVPN. And THAT website (i.e.: "YOUR" website as far as the world wide web is concerned) does NOT use a Let's Encrypt certificate.
Do you have some kind of configuration at CactusVPN so that incoming connections for robrobinette.com are somehow routed to your RPi?

On their website I don't see any feature that enables your website to work through their VPN?

That conclusion seems based solely on the cert being shown.
But the IP is indeed a Comcast IP (in Tennessee, if I'm correct):

Name:    robrobinette.com
Address: 68.57.90.214

Name:    c-68-57-90-214.hsd1.tn.comcast.net
Address: 68.57.90.214

The question becomes:
Where is the CactusVPN service being applied?
[And how/why does it interfere with the connection to the RPi?]

That's not the IP address I had just a few minutes ago:

osiris@erazer ~ $ dig +trace robrobinette.com

; <<>> DiG 9.16.12 <<>> +trace robrobinette.com
;; global options: +cmd
.			80407	IN	NS	i.root-servers.net.
.			80407	IN	NS	k.root-servers.net.
.			80407	IN	NS	f.root-servers.net.
.			80407	IN	NS	j.root-servers.net.
.			80407	IN	NS	m.root-servers.net.
.			80407	IN	NS	c.root-servers.net.
.			80407	IN	NS	h.root-servers.net.
.			80407	IN	NS	g.root-servers.net.
.			80407	IN	NS	d.root-servers.net.
.			80407	IN	NS	a.root-servers.net.
.			80407	IN	NS	b.root-servers.net.
.			80407	IN	NS	l.root-servers.net.
.			80407	IN	NS	e.root-servers.net.
.			80407	IN	RRSIG	NS 8 0 518400 20210921050000 20210908040000 26838 . CYg7iiwpycwQSWH5qlDiXYVwRN4XFQMSjk52Dth7qvpFcMN/87tJ+iR+ 3KXGLpZs+brsSLLLmr1nHRMGbiY/QqbZpkedCjb4+SGtvCqtG4458YSk UOhYOiJ8zoAosltp09fz59doUrGgEiNUAxgU8HfZHrzpMvPgaHQBktUt UFS76gFRqfXrH2rGbDiicMmFQoqOU4lOksSLQYbfHMHqo1YE7/GLbTqP Ly65xtXKjzkVWubXJT2DWfynLqBykUBglE3Rc0HJ0ksV15D9NfOGGNNr 1v71H+Hn/NMtf5g7l8U3uxkrjm/B3rDufDa+ZlGJUzmHAZVyY4cIU6xn tcEX+Q==
;; Received 525 bytes from 194.109.6.66#53(194.109.6.66) in 14 ms

com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			86400	IN	DS	30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.			86400	IN	RRSIG	DS 8 1 86400 20210921050000 20210908040000 26838 . pRWybrp+EUSGasRO5mJMmFThAoHn40FApeb2+efgyHLrGzXnpx3iiVAG r4jUwvaoThrAepUrL8G6Tefqb0gRPw2Xp1xWXY6QVGyKHvU37yKLrb/V U+ZCJn4qSMQEOVCh8yXUodCdmz1puVaj2GfTGHJz2WnAehzTeaSV9d/3 x7lXhzL9atwgqmqZT+pgki3bnV8eGOEHXohdE6NO/fmg2DLDeaR3lpVb TEaU3Nf/3nkXmgepX0GoZxSVMp/NYb4zXgU7spbMuNaqbY7hNKT5QI+w etGbVatqKZrmAdWIv7IZr/HuKpa/YbmUra+OyO1RsCfUUclSl9Ef7BON 43/MAA==
;; Received 1204 bytes from 2001:500:2::c#53(c.root-servers.net) in 25 ms

robrobinette.com.	172800	IN	NS	ns1.afraid.org.
robrobinette.com.	172800	IN	NS	ns2.afraid.org.
robrobinette.com.	172800	IN	NS	ns3.afraid.org.
robrobinette.com.	172800	IN	NS	ns4.afraid.org.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20210912085720 20210905074720 39343 com. BlKfU1A//lMaXugaMSwYQrxujtHXsw/B60ymafbe3CnH4wmt4WYVoah9 amnuxi8yH/KXlb5mnpK0eCh98RGt/tzQpdlK3XfG5adA1O9RXhgnauZR Wrm2kc5gZ0hqsn08wqwjVMtYCFO1dpjrMFrU4dNXUdE8v5ceHGaRrodh /2+LecZ87Qfi8d85kS2OsKzJtUcK87r/m25OWDR61+r9BA==
I8S3RMKD92U72KEF44JJCK2VVQENUI0L.com. 86400 IN NSEC3 1 1 0 - I8S4GA22FTBGUR9GG6H11P9NRT8507A9 NS DS RRSIG
I8S3RMKD92U72KEF44JJCK2VVQENUI0L.com. 86400 IN RRSIG NSEC3 8 2 86400 20210913051954 20210906040954 39343 com. mpKb1nL99qFIKJO02GUQFR48zMJCFl79uN815tBLf516AdGMA/0hWi/3 PX5CxgjkDJ15cBdlXZL1t4X522Bx+gN9BDtZZgHfAQcQFW7U+duTxZdw 3grqZjODheBvznCQfDbflUZEb4NqFI355Em3hJc5pFzaD5t/p4JUtuap g2vblnmwRfuqqXE49C83wcJklhOV30FvgfmlmZ/0Y5ASYA==
;; Received 676 bytes from 192.33.14.30#53(b.gtld-servers.net) in 29 ms

robrobinette.com.	60	IN	A	5.182.209.58
robrobinette.com.	3600	IN	NS	ns4.afraid.org.
robrobinette.com.	3600	IN	NS	ns1.afraid.org.
robrobinette.com.	3600	IN	NS	ns3.afraid.org.
robrobinette.com.	3600	IN	NS	ns2.afraid.org.
;; Received 319 bytes from 69.65.50.223#53(ns2.afraid.org) in 105 ms

osiris@erazer ~ $

I guess OP has changed it as it also shows the proper Let's Encrypt certificate right now

The cert and an IP address (see above) in The Netherlands with a VPN provider which has a PoP in The Netherlands (source: their site). Enough proof for me.

Can you check the SOA record seen there, please and thank you.

I see:
serial = 2109080008

I've got that too now, but I also have the correct IP now I suspect OP has changed the DNS record.

Which correct IP?

The one you also posted and the one with a Let's Encrypt certificate for OPs hostname? THAT correct IP address?

Then they might have shutdown the VPN ? ? ?

I believe OP has at least changed the IP address of the A RR of the domain name. With or without disabling the VPN, that should have done the trick.

I'm not familiar with VPN software which will change DNS records when it is enabled or disabled.......

Then the SOA record should have also changed.

I don't see a change.

From what to what? I don't have any record of the SOA RR from when the domain name still showed the CactusVPN IP address.

From:
serial = 2109080008
To:
[a bigger number]

OR

Maybe their global DNS was out-dated?
And that is the latest number.

Why should it increase to a bigger number? The SOA RR 2109080008 was present at the same time you found the A RR 68.57.90.214, right? So it can perfectly be the most recent SOA RR.

I don't have any record of the SOA RR when I found the CactusVPN IP address unfortunately. And I haven't seen that SOA RR in this thread by anyone else either.