Getting 502 Bad Gateway for vodafone.com

Hi,
I am using proxy plugin and vodafone.com is giving 502 Bad Gateway error. If I run the following command from my Caddy proxy machine:

 curl -ILX GET https://www.vodafone.com

as suggested in this post, I got the following response:
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none More details here: http://curl.haxx.se/docs/sslcerts.html ...

If I add insecure_skip_verify to the proxy, it can serve vodafone.com. Will this approach sacrifice security for other HTTPS sites that will be served by my proxy? Is there any other way to fix the issue?

Thanks!

You can use insecure_skip_verify, and it won’t affect other proxies than the one you specify it on… But checking that site myself allows me to connect over HTTPS as they’re presenting a valid certificate.

Are you being MITM’d? Or maybe your CA certs aren’t in order?

What do you mean by, maybe your CA certs aren’t in order? How can I verify that?

Try curl -ILX GET https://www.vodafone.com from a different, known good computer?

Maybe reinstall the ca-certificates package?

Ahh, looking further at it… my Debian server with curl 7.52.1 (x86_64-pc-linux-gnu) doesn’t like it (curl: (60) SSL certificate problem: unable to get local issuer certificate) but my Macbook with curl 7.54.0 (x86_64-apple-darwin18.0) doesn’t mind the error.

It appears to be a certificate chain problem. Their server isn’t sending the intermediate DigiCert SHA2 Secure Server CA cert. It’s a misconfiguration on their end (along with a whole host of other serious issues :grimacing: https://www.ssllabs.com/ssltest/analyze.html?d=www.vodafone.com)

Previous advice stands; you can use insecure_skip_verify - it’ll naturally reduce security, but it won’t compromise other proxies.

2 Likes