[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Broken SSL cert caused by router?

Meraki Access Points are interesting devices. 

I have found they cause issues with Linux firewalls if the merakis are not configured "correctly". 

Meraki Access Points do content inspections which I have found can cause produce symptoms similar to yours, although I have not experienced what you are describing. Since the MX64W is both an Access Point & security gateway, it has some additional content inspection/intelligence for it's security appliance role on top of the functions it performs as an access point, the same functions which are found in Meraki standalone access points as well. 

I am not sure what the specifics are as I do not use Meraki security appliances but it is worth checking. I have found with Meraki that items in the control panel/dashboard are not always labeled the best so I have found it is usually worth putting in a ticket with them and/or a call to them to see what they think (1-888-490-0918). 

Mitchell T. Lewis 
Mlewis at Techcompute.Net 
: www.linkedin.com/in/mlewiscc 
Mobile: (203)816-0371 
PGP Fingerprint: 79F2A12BAC77827581C734212AFA805732A1394E Public PGP Key 


A computer will do what you tell it to do, but that may be much different from what you had in mind. ~Joseph Weizenbaum 	

----- Original Message -----

From: "Mike" <mike-nanog at tiedyenetworks.com> 
To: nanog at nanog.org 
Sent: Thursday, March 26, 2015 6:38:55 PM 
Subject: Broken SSL cert caused by router? 


I have a very odd problem. 

We've recently gotten a 'real' ssl certificate from godaddy to 
cover our domain (*.domain.com) and have installed it in several places 
where needed for email (imap/starttls and etc) and web. This works 
great, seems ok according to various online TLS certificate checkers, 
and I get the green lock when testing using my own browsers and such. 

I have a customer however that uses our web mail system now secured 
with ssl. I myself and many others use it and get the green lock. But, 
whenever any station at the customer tries using it, they get a broken 
lock and 'your connection is not private'. The actual error displayed 
below is 'cert_authority_invalid' and it's "Go Daddy Secure Certificate 
Authority - G2". And it gets worse - whenever I go to the location and 
use my own laptop, the very one that 'works' when at my office, I ALSO 
get the error. AND EVEN WORSE - when I connect to my cell phone provided 
hotspot, the error goes away! 

As weird as this all sounds, I got it nailed down to one device - 
they have a Cisco/Meraki MX64W as their internet gateway - and when I 
remove that device from the chain and go 'straight' out to the internet, 
suddenly, the certificate problem goes away entirely. 

How is this possible? Can anyone comment on these devices and tell 
me what might be going on here?