New or used/refurbished?
3 Likes
The Router was new, open box. I did reset it. I just added a rule to allow the houseofprayer.org url. I no longer have any issues accessing the website from this LAN with the Meraki Firewall and Charter Spectrum ISP.
My work location is another story. When I try to access houseofprayer.org from multiple machines on this LAN I get the same security error. This site does use Comcast for ISP and I also VPN to this site from my home on a daily basis. I added a rule to allow the website url on both Comcast Security Edge and the Cisco ASA firewall. This did not correct the issue. Any more ideas?
That the problems occur only from one location indicates a common problem there. You may need to contact Comcast.
You should check the DNS is resolving the right IP when that happens. If I recall that was what others with similar problem saw happening. Google has many hits for questions about the domain name in the "faulty" cert.
This doesn't look like anything related to your Let's Encrypt cert or even your server config. Too many other clients connect without trouble.
It is odd that a couple of your locations suffered the same problem. You might want to think about what else might be similar between your Charter location and the Comcast one. As they both were failing but now only one does if I understand correctly.
And, 3rd party testing sites always were okay. I even tried some others and all look good. My own test server has always worked fine to that domain. In fact, I cannot reproduce the problem you describe with any tool.
3 Likes
Your issue is unrelated to Let's Encrypt or even TLS certificates. You need to find yourself qualified on-site network support. If you do not already have a preferred IT service provider, it's past the time to seek one out. The assistance you need exceeds that which is available here in the Let's Encrypt Community.
3 Likes
I strongly agree that whatever your problem is, it has nothing at all to do with Let's Encrypt or TLS in general. But it's more than a little strange that when I browse to that address using Firefox, I get the same warning--but when I use Chrome, a normal-looking website comes up.
3 Likes
That is very interesting. From the same device? (both same IPv4 or v6 and such?)
Firefox on Ubuntu works fine for me. No warning at all. Using a VPN
2 Likes
Same device, on the same network, within a minute or so.
4 Likes
Sine I had only tested in Chrome, I went ahead and tried from some other browsers and then moved on to other machines and even sites. Only when I tested Firefox on Windows 10 lab machine did I eventually see a malware warning instead of the site.
That is where things got interesting. The blocking page had my company site icon on it and stated that it had been blocked by my organization. Since that host uses DNS Filter security with my default blocking configuration, I checked all other browsers on that host and they went to the same blocking page.
If the block page is served by DNS Filter, you should see the domain name string netalerts.io in the source code. It is equally as plausible to consider that another DNS based security service, such as those forced on Comcast subscribers may use the same data source as DNS Filter.
I have no explanation for what @danb35 observed, but I know how to consistently reproduce the issue in my environment.
If the site did have a malware distribution incident that has since been resolved, you, @SilverCloud, or your IT service provider will need to identify what security lists contain your domain and follow their delisting request policy.
You may want see if the source code of the block page gives you any clues as to where it is coming from.
6 Likes
This is what I'm seeing in Firefox:
Same in a private window. Same in Safari. And now same in Chrome if I explicitly browse to http://houseofprayer.org/.
HTTPS requests in Firefox come up with a cert error, and present a cert for pxy.prd.live.c2szps.spscld.net, as reported in OP. If I try to bypass it, I get a blank page. HTTPS requests in Safari do the same. But HTTPS requests in Chrome pull up the web site as expected. All of this is under macOS Sonoma.
Edit: Firefox 123 under Windows 10 (different device, but still on the same LAN, with the same public IP address) behaves the same as Firefox on my Mac. Edge on that system redirects to HTTPS and loads the page as expected.
5 Likes
Interesting... When this thread first opened, I browsed to the webiste with no problem ... This is what I get today 20:30 Pacific time.
No errors at all.
EDIT: and the site redirects from http to https for me at least.
2 Likes
Good News! The issue was Comcast Security Edge. Even though I had added our website url as allowed, it was still being blocked. I contacted Comcast and had them disable Secuirty Edge completely. Access to the website was immediately restored. Sadly if those Block/Security Pages had just indicated that it was Comcast Security Edge that had blocked the page it would have saved many hours of troubleshooting. Below is the Security Edge report showing the url being blocked. Thank you everyone for all of your help. stewe was right.
7 Likes
Be sure to write this up in your internal documentation. While you may be more fortunate than some Comcast users, and not encounter a repeat incident, I have seen far too many reports from colleagues with clients on Comcast where they have found connectivity issues introduced by Comcast silently reinstating their unrequested and unwanted Security Edge product.
5 Likes
This is a domain controlled by Barracuda SafeLinks. Try disabling it temporarily.
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.