WINDTRE with security service: net::ERR_CERT_AUTHORITY_INVALID

hi everyone,

We have a big problem with our domain:

App.edilab.it

We noticed that some users who has WINDTRE mobile connection cannot access services hosted on app.edilab.it.

Certificate results invalid: net::ERR_CERT_AUTHORITY_INVALID

If they use Wi-Fi data, everything go ok.

I am sure the problem is with WINDTRE and their “più sicuri” service, they decided to enable it randomly on some user. Disabling it actually makes the website work but it is obviously a not viable solution.

How can we make this work? It looks like let’s encrypt certificate is not good for them. How can we solve this? Users are constantly reporting this and we don’t know what to do.

I hope I can get some help here.
Thanks,
Luca.

Your site looks perfectly fine with regard to the certificate and chain.

It sounds like that “più sicuri” service you're mentioning might be some kind of Machine in the Middle (MitM) device which doesn't your site, possibly the Let's Encrypt cert, possibly the change in intermediate certificates recently. Note that this change should not have mattered at all.

If the issue is with the “più sicuri” service indeed, I'm afraid there's not much you can do. Beyond changing to a different (free ACME) CA. (See e.g. ACME CA Comparison - Posh-ACME)

Users should file complaints at WINDTRE with regard to their “più sicuri”.

Thanks for the super fast response.

I have some screenshot of the certificate on a device who has the problem (so WINDTRE + più sicuri).

Certificate looks.. weird. Maybe you can figure out something.
I can try changing the CA as you suggested.

I will try contacting WINDTRE but their customer service is not so good and not easy to reach (even if so used in Italy)

So that's a cert from WINDTRE, which of course is not a publicly trusted certificate. (It's not the Let's Encrypt certificate from your website!) They're just doing a MitM as suspected earlier, creating certificates for websites on the fly as they're being accessed by their users.

This is commonly done by local virus scanner software on the users computer, which I could live with. But personally I would not want my ISP snooping around and reading and possibly storing all the data contained in my not-secure-at-all-any-longer HTTPS connections.

All users having this issue should either complain at WINDTRE or simply disable this “più sicuri” service, if possible. They should also know that WINDTRE can read all their data with this “più sicuri” service.

Changing ISP probably doesn't really help with this. Users not trusting this WINDTRE (root) certificate would get a certificate error for any site they're visiting if it goes through this “più sicuri” service.

Thank you so much for all the information.
We are trying to contact WINDTRE.
So there’s nothing we can actually do..

Looks like the error and MitM-certificate all comes from WINDTRE.

The error we seem to be seeing in your screenshot might not be shown to your users by changing to a different CA, such as Buypass, but most likely that wouldn't fix the "insecure" logo you're also seeing in the screenshot due to the user not trusting the not-publicly-trusted WINDTRE certificate (chain).

Can't WINTRE users disable this “più sicuri” service?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.