Broken SSL cert caused by router?
rps at maine.edu
Fri Mar 27 19:36:12 UTC 2015
It might be filtering the CRL or OCSP verification for the SSL
certificate. For GoDaddy I think this would be:
We ran into this when OS X changed how it handles SSL a few years
back, our captive portal was presenting a splash page in place of
Thawte OCSP and crashing the SSL keychain process. The work-around
was either to respond with a TCP RST for these requests or to allow
On Thu, Mar 26, 2015 at 11:57 PM, Lewis,Mitchell T.
<ml-nanog at techcompute.net> wrote:
> Meraki Access Points are interesting devices.
> I have found they cause issues with Linux firewalls if the merakis are not configured "correctly".
> Meraki Access Points do content inspections which I have found can cause produce symptoms similar to yours, although I have not experienced what you are describing. Since the MX64W is both an Access Point & security gateway, it has some additional content inspection/intelligence for it's security appliance role on top of the functions it performs as an access point, the same functions which are found in Meraki standalone access points as well.
> I am not sure what the specifics are as I do not use Meraki security appliances but it is worth checking. I have found with Meraki that items in the control panel/dashboard are not always labeled the best so I have found it is usually worth putting in a ticket with them and/or a call to them to see what they think (1-888-490-0918).
> Mitchell T. Lewis
> Mlewis at Techcompute.Net
> : www.linkedin.com/in/mlewiscc
> Mobile: (203)816-0371
> PGP Fingerprint: 79F2A12BAC77827581C734212AFA805732A1394E Public PGP Key
> A computer will do what you tell it to do, but that may be much different from what you had in mind. ~Joseph Weizenbaum
> ----- Original Message -----
> From: "Mike" <mike-nanog at tiedyenetworks.com>
> To: nanog at nanog.org
> Sent: Thursday, March 26, 2015 6:38:55 PM
> Subject: Broken SSL cert caused by router?
> I have a very odd problem.
> We've recently gotten a 'real' ssl certificate from godaddy to
> cover our domain (*.domain.com) and have installed it in several places
> where needed for email (imap/starttls and etc) and web. This works
> great, seems ok according to various online TLS certificate checkers,
> and I get the green lock when testing using my own browsers and such.
> I have a customer however that uses our web mail system now secured
> with ssl. I myself and many others use it and get the green lock. But,
> whenever any station at the customer tries using it, they get a broken
> lock and 'your connection is not private'. The actual error displayed
> below is 'cert_authority_invalid' and it's "Go Daddy Secure Certificate
> Authority - G2". And it gets worse - whenever I go to the location and
> use my own laptop, the very one that 'works' when at my office, I ALSO
> get the error. AND EVEN WORSE - when I connect to my cell phone provided
> hotspot, the error goes away!
> As weird as this all sounds, I got it nailed down to one device -
> they have a Cisco/Meraki MX64W as their internet gateway - and when I
> remove that device from the chain and go 'straight' out to the internet,
> suddenly, the certificate problem goes away entirely.
> How is this possible? Can anyone comment on these devices and tell
> me what might be going on here?
Ray Patrick Soucy
University of Maine System
MaineREN, Maine's Research and Education Network
More information about the NANOG