I am using Comcast internet service and I have a home based website, robrobinette.com, which uses a LetsEncrypt issued SSL certificate. The webserver is a raspberry pi on my home network and my Comcast router forwards :80 and :443 to the webserver. When I use my Windows 10 computer from my home network and connect to CactusVPN it works but my website begins serving the CactusVPN certificate so I get a "cert common name invalid" error and traffic drops off the website. When I close CactusVPN the website error goes away after a couple of minutes. I have tried OpenVPN and SSTP Protocols and both cause the error.
Anyone know how to solve this problem? I can't use my VPN service without killing my website traffic.
@orangepizza Just connect to the site, you'll see a Sectigo certificate issued to *.cactussstp.com. I'm guessing that's the same Cactus cert OP is seeing.
@RobRobinette You say you have a Comcast router. Is your ISP also Comcast? Because if I resolve your hostname, I'm getting the IP address 5.182.209.58 which is an IP address of "SpectraIP B.V.", a Dutch company as it seems. And that IP may very well be used by CactusVPN as one of their endpoints? Or is your site actually hosted at SpectraIP? Which conflicts with the fact that your webserver is a RPi in your home network.
Not really: your webserver on the Raspberry Pi might be configured with a Let's Encrypt certificate and your local webserver might even be configured for the domain name robrobinette.com, but the ACTUAL hostname robrobinette.com does NOT point to your home network, but to an IP address of CactusVPN. And THAT website (i.e.: "YOUR" website as far as the world wide web is concerned) does NOT use a Let's Encrypt certificate.
Do you have some kind of configuration at CactusVPN so that incoming connections for robrobinette.com are somehow routed to your RPi?
On their website I don't see any feature that enables your website to work through their VPN?
That's not the IP address I had just a few minutes ago:
osiris@erazer ~ $ dig +trace robrobinette.com
; <<>> DiG 9.16.12 <<>> +trace robrobinette.com
;; global options: +cmd
. 80407 IN NS i.root-servers.net.
. 80407 IN NS k.root-servers.net.
. 80407 IN NS f.root-servers.net.
. 80407 IN NS j.root-servers.net.
. 80407 IN NS m.root-servers.net.
. 80407 IN NS c.root-servers.net.
. 80407 IN NS h.root-servers.net.
. 80407 IN NS g.root-servers.net.
. 80407 IN NS d.root-servers.net.
. 80407 IN NS a.root-servers.net.
. 80407 IN NS b.root-servers.net.
. 80407 IN NS l.root-servers.net.
. 80407 IN NS e.root-servers.net.
. 80407 IN RRSIG NS 8 0 518400 20210921050000 20210908040000 26838 . CYg7iiwpycwQSWH5qlDiXYVwRN4XFQMSjk52Dth7qvpFcMN/87tJ+iR+ 3KXGLpZs+brsSLLLmr1nHRMGbiY/QqbZpkedCjb4+SGtvCqtG4458YSk UOhYOiJ8zoAosltp09fz59doUrGgEiNUAxgU8HfZHrzpMvPgaHQBktUt UFS76gFRqfXrH2rGbDiicMmFQoqOU4lOksSLQYbfHMHqo1YE7/GLbTqP Ly65xtXKjzkVWubXJT2DWfynLqBykUBglE3Rc0HJ0ksV15D9NfOGGNNr 1v71H+Hn/NMtf5g7l8U3uxkrjm/B3rDufDa+ZlGJUzmHAZVyY4cIU6xn tcEX+Q==
;; Received 525 bytes from 194.109.6.66#53(194.109.6.66) in 14 ms
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20210921050000 20210908040000 26838 . pRWybrp+EUSGasRO5mJMmFThAoHn40FApeb2+efgyHLrGzXnpx3iiVAG r4jUwvaoThrAepUrL8G6Tefqb0gRPw2Xp1xWXY6QVGyKHvU37yKLrb/V U+ZCJn4qSMQEOVCh8yXUodCdmz1puVaj2GfTGHJz2WnAehzTeaSV9d/3 x7lXhzL9atwgqmqZT+pgki3bnV8eGOEHXohdE6NO/fmg2DLDeaR3lpVb TEaU3Nf/3nkXmgepX0GoZxSVMp/NYb4zXgU7spbMuNaqbY7hNKT5QI+w etGbVatqKZrmAdWIv7IZr/HuKpa/YbmUra+OyO1RsCfUUclSl9Ef7BON 43/MAA==
;; Received 1204 bytes from 2001:500:2::c#53(c.root-servers.net) in 25 ms
robrobinette.com. 172800 IN NS ns1.afraid.org.
robrobinette.com. 172800 IN NS ns2.afraid.org.
robrobinette.com. 172800 IN NS ns3.afraid.org.
robrobinette.com. 172800 IN NS ns4.afraid.org.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20210912085720 20210905074720 39343 com. BlKfU1A//lMaXugaMSwYQrxujtHXsw/B60ymafbe3CnH4wmt4WYVoah9 amnuxi8yH/KXlb5mnpK0eCh98RGt/tzQpdlK3XfG5adA1O9RXhgnauZR Wrm2kc5gZ0hqsn08wqwjVMtYCFO1dpjrMFrU4dNXUdE8v5ceHGaRrodh /2+LecZ87Qfi8d85kS2OsKzJtUcK87r/m25OWDR61+r9BA==
I8S3RMKD92U72KEF44JJCK2VVQENUI0L.com. 86400 IN NSEC3 1 1 0 - I8S4GA22FTBGUR9GG6H11P9NRT8507A9 NS DS RRSIG
I8S3RMKD92U72KEF44JJCK2VVQENUI0L.com. 86400 IN RRSIG NSEC3 8 2 86400 20210913051954 20210906040954 39343 com. mpKb1nL99qFIKJO02GUQFR48zMJCFl79uN815tBLf516AdGMA/0hWi/3 PX5CxgjkDJ15cBdlXZL1t4X522Bx+gN9BDtZZgHfAQcQFW7U+duTxZdw 3grqZjODheBvznCQfDbflUZEb4NqFI355Em3hJc5pFzaD5t/p4JUtuap g2vblnmwRfuqqXE49C83wcJklhOV30FvgfmlmZ/0Y5ASYA==
;; Received 676 bytes from 192.33.14.30#53(b.gtld-servers.net) in 29 ms
robrobinette.com. 60 IN A 5.182.209.58
robrobinette.com. 3600 IN NS ns4.afraid.org.
robrobinette.com. 3600 IN NS ns1.afraid.org.
robrobinette.com. 3600 IN NS ns3.afraid.org.
robrobinette.com. 3600 IN NS ns2.afraid.org.
;; Received 319 bytes from 69.65.50.223#53(ns2.afraid.org) in 105 ms
osiris@erazer ~ $
I guess OP has changed it as it also shows the proper Let's Encrypt certificate right now
The cert and an IP address (see above) in The Netherlands with a VPN provider which has a PoP in The Netherlands (source: their site). Enough proof for me.
Why should it increase to a bigger number? The SOA RR 2109080008 was present at the same time you found the A RR 68.57.90.214, right? So it can perfectly be the most recent SOA RR.
I don't have any record of the SOA RR when I found the CactusVPN IP address unfortunately. And I haven't seen that SOA RR in this thread by anyone else either.