Broken SSL cert caused by router?

Eygene Ryabinkin rea+nanog at
Fri Mar 27 00:46:20 UTC 2015

Thu, Mar 26, 2015 at 03:38:55PM -0700, Mike wrote:
> I have a customer however that uses our web mail system now secured 
> with ssl. I myself and many others use it and get the green lock. But, 
> whenever any station at the customer tries using it, they get a broken 
> lock and 'your connection is not private'. The actual error displayed 
> below is 'cert_authority_invalid' and it's "Go Daddy Secure Certificate 
> Authority - G2". And it gets worse - whenever I go to the location and 
> use my own laptop, the very one that 'works' when at my office, I ALSO 
> get the error. AND EVEN WORSE - when I connect to my cell phone provided 
> hotspot, the error goes away!
> As weird as this all sounds, I got it nailed down to one device - 
> they have a Cisco/Meraki MX64W as their internet gateway - and when I 
> remove that device from the chain and go 'straight' out to the internet, 
> suddenly, the certificate problem goes away entirely.
> How is this possible? Can anyone comment on these devices and tell 
> me what might be going on here?

Sounds like deep packet inspection (DPI) with SSL MITM.  Reading
makes me believe that this device can do that.  Look for it's
configuration, DPI for HTTPS must be active.
Eygene Ryabinkin, National Research Centre "Kurchatov Institute"

Always code as if the guy who ends up maintaining your code will be
a violent psychopath who knows where you live.

More information about the NANOG mailing list