HTTPS certificates invalid and issued by untrusted ACME

1. Output of caddy version:

v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=

2. How I run Caddy:

a. System environment:

Ubuntu 20.04, apt installed

Trying to reach from Brave Browser, mobile Chrome and mobile DuckDuckGo.

b. Command:

running caddy using systemd

d. My complete Caddy config:

(error404) {
        handle_errors {
                root * /var/www/drankganzenbord.nl/html
                @404 {
                        expression {http.error.status_code} == 404
                }
                rewrite @404 /404.html
                file_server
        }
}

www.drankganzenbord.nl, drankganzenbord.nl {
        root * /var/www/drankganzenbord.nl
        file_server

        handle / {
                root * /var/www/drankganzenbord.nl/html
                php_fastcgi / unix//var/run/php/php7.3-fpm.sock
        }
        import error404
}

3. The problem I’m having:

The site is missing a valid, trusted certificate. Checking the chain shows that the Fireware HTTPS Proxy certificate isn’t valid.

What even is WatchGuard and Fireware?

4. Error messages and/or full log output:

user@morvigor:~$ curl -v https://drankganzenbord.nl
*   Trying 185.95.13.16:443...
* TCP_NODELAY set
* Connected to drankganzenbord.nl (185.95.13.16) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=drankganzenbord.nl
*  start date: Aug 16 14:03:39 2022 GMT
*  expire date: Nov 14 14:03:38 2022 GMT
*  subjectAltName: host "drankganzenbord.nl" matched cert's "drankganzenbord.nl"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55a55efe48c0)
> GET / HTTP/2
> Host: drankganzenbord.nl
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200
< content-type: text/html; charset=UTF-8
< server: Caddy
< date: Tue, 16 Aug 2022 15:29:20 GMT
<

5. What I already tried:

Deleted all the certificates in /var/lib/caddy/.local/ and rebooted the system.
Used an online TLS checker to validate that it’s not just my browser.

6. Links to relevant resources:

Ah, your connections are being intercepted by a proxy. TLS is doing its job and protecting you from interception/attacks. Looks like your browser is affected but not curl.

I recommend you check with your system or network administrator. If you are that person, then you likely have malware.

2 Likes

I suspect corporate Wifi is to blame for this. Thanks for the quick respons of my (user)-error. At home everything works like a charm.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.