When I try to connect to my weather station, I get a security error related to a problem with the security certificate. I’ve attached a screenshot. Is anyone else experiencing this?
I’m running a Chrome browser on a Chromebook. Chrome OS Version 71.0.3578.127 (Official Build) (64-bit).
I just tested and I am not getting that error.
@dsj - Why is the Let’s Encrypt certificate on that server issued to host www.santhoshramaiah.com and not smartweather.weatherflow.com???
1 Like
I tested using an Edge browser on a Win10 machine and got the security error there as well. I also tried connecting from a different WiFi network, but that made no difference. I’m in the Boston area, so perhaps other regional servers are okay. Otherwise I’d expect widespread reports of issues.
indeed there is some mixup, maybe a shared hosting that linked wrong certs to wrong account ???
2 Likes
I am being left out of the fun.
Do other SSL web sites work? I remember seeing a report at work from someone who was receiving this type of error, and it was caused by their ISP trying to hijack HTTP/HTTPS requests to display a web page saying that they had exceeded their monthly bandwidth allocation. SSL has taken much of the fun out of captive portals these days. 
Do you have a network firewall or malware scanner that’s trying to do man-in-the-middle malware checks on SSL traffic? That would be another explanation for why it is happening on multiple machines…
2 Likes
I just looked deeper at the Let’s Encrypt certificate. It contains a long list of SAN hosts (subject alternate names) for all kinds of curious domains around the world. Last time that I checked, Let’s Encrypt did not issue SAN or wildcard certificates. Their web site says that they do now, since last spring. This is actually good news for another project I’m working on that needs a wildcard certificate!
My guess is that WF and the above are all using some sort of load balancer or shared host, and this is not the issue…
2 Likes
I’m able to get to other SSL sites just fine. I don’t have a network firewall or malware scanner (that I know of). Xfinity provides my internet, and I’ve got a Google WiFi network. I tried connecting through both the Google WiFi and the WiFi built in to the Xfinity router…both gave me the error. Next chance I get, I’ll connect through another network (local library, for example) and see if it’s my home connection that’s the problem.
2 Likes
And of course, this just began happening today. I’ve had no trouble connecting previously. Something’s changed.
Another screenshot, with some details. I know enough to get to this data, but not enough to be able to interpret it. It says the security certificate is missing. I’m not clear on the (expired) xfinity certificate info.
There’s a thing going on to replace the type of cert/renewal mechanism as of about 2 weeks from now, I know I’ve gotten a couple notifications from them about my internet-facing website along those lines.
I’m wondering if WF might think about renewing their cert manually with Let’s Encrypt, just in case. That list looks really really wrong to me if that cert indeed handles all those sites.
How did you ‘look deeper’, I’d like to check my site the same way just in case…
Here’s the mail I got twice from them, although my site ‘is’ on the new way, so I haven’t deciphered why they’re emailing me that there’s an issue. Posting here just in case there’s a connection to what you’re seeing with WF cert…
Hello,
Action may be required to prevent your Let's Encrypt certificate renewals
from breaking.
If you already received a similar e-mail, this one contains updated
information.
Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days. Below is a list of names and IP
addresses validated (max of one per account):
my.fqdn.omitted (my.public.ipaddr.omitted) on 2018-12-16
TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th, 2019.
Any certificates issued before then will continue to work for 90 days
after their issuance date.
You need to update your ACME client to use an alternative validation
method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
certificate renewals will break and existing certificates will start to
expire.
Our staging environment already has TLS-SNI-01 disabled, so if you'd like
to test whether your system will work after February 13, you can run
against staging: https://letsencrypt.org/docs/staging-environment/
If you're a Certbot user, you can find more information here:
https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210
Our forum has many threads on this topic. Please search to see if your
question has been answered, then open a new thread if it has not:
https://community.letsencrypt.org/
For more information about the TLS-SNI-01 end-of-life please see our API
announcement:
https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209
Thank you,
Let's Encrypt Staff
1 Like
As I thought, somebody (xfinity) is doing a MitM hijack of your SSL connection:
The certificate seems to be valid, at least from my non-xfinity ISP connection. Did you check the date/year on your computer(s)???
2 Likes
Most browsers will give you certificate details if you click/double-click on the lock icon or https:// text on the left of the address bar.
smartweather.weatherflow.com is being hosted on a shared server or load balancer with all of those other hostnames, so it may not be possible for WF to replace that certificate…
1 Like
You guys (and this forum in general) ROCK! I turned Xfinity’s Protected Browsing off and all’s well. I’m curious about why it just started happening…I checked the dates/times on my computers, and everything’s in synch. And if it was a timestamp issue, I’d think other SSL sites would be affected.
In any case, my issue’s been resolved. Many thanks to all for the assistance.
2 Likes
Please mark post 15 as the solution.
1 Like
Done. Thank you again for the assistance.
A quick followup… I checked my XFi app, hoping I could whitelist Smartweather. Nope, not possible (at this time). However I learned that they are using Zvelo to check security. So I went to Zvelo’s site and used their URL checker (https://tools.zvelo.com/) on the Smartweather URL. It came back clean. Guess it’ll remain a mystery.
1 Like