Regional SSL Certificate Isses (ISP Blocking?)

Hi Cloudflare community,

I have users reporting SSL certificate errors for my domain that I am having difficulty understanding. The domain loads fine for me and 99% of other users. However, a small subset is having issues.

The issue seems to be ISP related, I think. The problem is solved by using a VPN, or by switching from cell to WiFi, or WiFi to cell.

The issue is happening for users more often in Europe (UK, Spain, Netherlands). However, there have been reports in the US and Brazil as well.

I first thought it was a problem with their device or their local WiFi has some sort of MITM, but other sites load fine and the users claim to not have that. Also, sometimes it’s just a connection block error.

A common use case has appeared. The users begin accessing the site in one country (Brasil). They then move to another country (somewhere in Europe). The site now stops working due to SSL certificate issues.

My question is: Is there some sort of regional caching going on? Do ISPs do any sort of domain blocking? Is this practice more common in Europe? If my domain is blocked, what could be the cause? It is a .app domain which is non-standard. Most importantly, how would you debug this issue that you can’t yourself reproduce?

Thank you.

Answer these questions to help the Community help you with Security questions.

What is the domain name?

https://www.gymrats.app

Have you searched for an answer?

Yes

Please share your search results url:

https://community.cloudflare.com/search?q=ssl%20invalid%20certificate%20isp

When you tested your domain, what were the results?

The site loaded successfully.

Describe the issue you are having:

For the past two years a small percentage of my users report connection errors related to a SSL certificate issue. They are becoming increasingly more common.

They are most common for users in Europe. I recently have had three users who were in Brazil and moved to Europe. Two to the UK and the other to Spain. All have had SSL issues appear after moving.

The users only report GymRats not working, other sites load fine.

What error message or number are you receiving?

General SSL certificate invalid errors.

What steps have you taken to resolve the issue?

I’ve tried working with my users to gain more information about the certificate they’re seeing, but they are not technical and I don’t always get a response. Sometimes there is no information to be had.

This website servers as an API for a mobile application and I’ve deployed logging to inspect the errors myself.

Some issues are reported as MITM of various sorts and I can see the certificates are bad. For example I see a certificate served by “allot.com” and I don’t know anything about that, but it looks like some sore of network security tool. Makes sense to me that would fail. Other certs from “https://www.arubanetworks.com/” and “RuckusPKI-DeviceSubCA”.

However, I see the issue appear for what looks like a correct certificate chain.

Was the site working with SSL prior to adding it to Cloudflare?

No, the same issue occurred before Cloudflare as well. I actually started using Cloudflare to see if it would solve the issue, but it didn’t. I thought it had to do with a universal certificate and the common name (gymrats.app) on the certificate not matching the url being requested (www.gymrats.app). It loaded fine because of the SAN being *.gymrats.app, but thought maybe some clients somewhere would block a domain and common name mismatch anyways.

So I recently deployed an advanced certificate using Cloudflare with the common name matching exactly, but that did not fix the issue.

What are the steps to reproduce the error:

I personally cannot reproduce the issue. My users reproduce the issue by loading the website in a browser.

Have you tried from another browser and/or incognito mode?

Yes

Please attach a screenshot of the error:





I’ve been able to get a certificate from a user and I am experiencing the issue being described in this thread on Vodafone. Unblock company website - Community home

Cloudflare is mentioned, but I’m not sure if relevant or not.

1 Like

The Vodafone forum signup form is broken for me :melting_face:, but more information from my user is confirming the issue. I believe Lebara uses the Vodafone network.

Yes, my home Wi-Fi is Vodafone but my Mobile data is Lebara (maybe there are also blocking because I have tested using only my Mobile data and the same certificate issue appeared with this allot.com). Using none of them the app works, same error message.

I’ve just done a test using my Work phone mobile data from O2 (UK) and it work it! Indeed it seems a problem with Lebara and Vodafone.

Please see attached screen video while I’m using O2 data from my work phone and all certificates are good and I can access the app normally.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.