Err_cert_authority_invalid (only with vodafone)


#1

Hi guys, im having problems with my website. I always use Cloudflare SSL and never had problems.

Now users cant access my website. The problem is that this is only happening with users with Vodafone. Other users have other companies and they can access without problems, me aswell.

I have read in the forums of Vodafone this answer: We have verified that after the managements carried out on your line, the cause of which you could not accede to the page http://spaindmcs.com/ is in the own web, since like others that we have already detected, do not have the source IP correctly geolocated.

website is: https://fiuxy.biz


#2

If it’s just Vodafone, it sounds like their DNS doesn’t have your correct information.

How long has your domain been on Cloudflare?


#3

Since i registered it. And this problem appeared today, yesterday Vodafone users could enter without problems.


#4

I have read in the forums of Vodafone this answer: We have verified that after the managements carried out on your line, the cause of which you could not accede to the page is in the own web, since like others that we have already detected, do not have the source IP correctly geolocated.


#5

If you inspect the certificate on https://fiuxy.biz when you see this error who does it say the issuer is/ what are the details?


#6

This is so strange. In certificate details it says: Issued for: fiuxy.biz. Issued by: allot.com/[email protected]. Valid 07/03/2018 - 06/03/2020.


#7

And this transmitter is valid since today, its generated since today - 06 March 2020.


#8

allot.com lists vodaphone as a customer https://www.allot.com/ so it looks like a problem/issue with how they are implemented rather than your website. If they think there is an issue with your IP address, ask them to provide a log output demonstrating the issue.

e.g. 
dig fiuxy.biz @1.1.1.1 +short                                                                                           
    104.27.142.172
    104.27.143.172

#10

Would it be possible to change CloudFlare IP to solve this problem? As im not Vodafone customer i cant contact with them in forums or phone call as im not customer.


#11

Hi, i just contacted Vodafone and they just said that this problem has nothing to do with them.


#12

They usually do and typically it still turns out to be them.

Where does your domain resolve to on Vodafone?


#14

Hi Sandro, when someone with Vodafone IP is accessing my website, a tipical message like “Your connection is not private” appears. Also it says the “err_cert_authority_invalid”. When someone with this Vodafone IP looks at the website certificate, Vodafone just changed certificate transmitter for my website to: allot.com/[email protected], i always use paid dedicate CloudFlare SSL for my websites so this is false, Vodafone is changing it.

Certificate window and Chrome error when trying to access. (Sorry i have it in spanish).

Also my CloudFlare SSL for this domain:


#15

Can you have a Vodafone user try this and let us know what response they get:
https://whatdnsamiusing.com/

I’d like to figure out which DNS they’re using and what IP addresses they return for your domain.


#16


#17

That DNS Server isn’t letting me query it for IP addresses.

I’m hoping that some Vodafone customer can make them fix this. It clearly works for everyone else.


#18

I hope it. Ill insist on talking to technical support, although I think they will always give me the answer that it doesnt have anything to do with them.

Thanks for the help sdayman!


#19

Thanks for the screenshots, but I do understand what the issue is. The question really was to which IP address it resolves. Can you run on that Vodafone connection these commands and post thte output here?

ping fiuxy.biz
nslookup fiuxy.biz
ping www.fiuxy.biz
nslookup www.fiuxy.biz

Either requests for your website are directed to a completely different server than Cloudflare or someone (presumably Vodefone) is tampering with the HTTPS connection. Allot is an Israeli company which provides software solutions for such purposes to its customers.

Allot Ltd. is a multinational with offices and subsidiaries in many countries across the world. Allot is a provider of security and monetization products. Allot solutions include Deep Packet Inspection (DPI) technology to change broadband pipes into smart networks offering complete network visibility, application control and subscriber management

Just to clarify, all your users who complain are on Vodafone but they do not share the same connection or are part of the same organisation?!


#20

Hi Sandro, these are two users that usually visit my forum, with same internet company (Vodafone)


Here the screenshots:


#21

Same ISP but different people on different connections, right? They are not part of the same organisation, correct?

It would appear the resolved address is the right one. That would suggest Vodafone actually intercepts the SSL connection and breaks the encryption. I would find this difficult to believe but that seems to be the most likely scenario given the data we currently have available.

Are these people on vanilla Windows setups? No special virus scanners or similar?


#22

Hang on, these screenshots are from your users, right?