Since about last Thursday, I have been experiencing the following when accessing the www.ukclimbing.com site on an Android phone via Chrome:
1. No problem correctly accessing the site via home wifi.
2. Attempts to access the site over my phone's data network result in the following error:
"Your connection is not private ... [snip] ...
NET:ERR_CERT_COMMON_NAME_INVALID"
3. By contrast, I can access www.ukhillwalking.com correctly by both wifi and the data network
Is anybody else seeing anything similar? The certificates look okay to me (or at least, I can't spot any problem with them) so I'm confused by what's going on.
This could just be a 'me' problem of course. I confirm that I have completely flushed my browser cache.
Yes, been getting the same occasionally (on Android / Chrome).
Bizarrely, got same message(ish) when accessing 'the other channel' today on computer (Windows / Chrome) - working ok now.
Are you with O2? Or one of the virtual networks that uses them?
We have had reports of O2 users experiencing this, but unfortunately don’t have a fix as it’s O2s issue.
Using a VPN (or similar, such as iCloud private relay on iOS) should fix the issue.
It should pass, but frustrating while it lasts
> Are you with O2? Or one of the virtual networks that uses them?
Indeed. I use giffgaff.
> We have had reports of O2 users experiencing this, but unfortunately don’t have a fix as it’s O2s issue.
Okay, thanks. I'll just wait for it to sort itself out then.
I've been seeing this fairly regularly on O2/iPhone for the last month or so. Refuses to connect to the site for a few hours, then whatever it is resolves itself. It's weird if this is somehow the carrier's fault (and I haven't seen it happen for any other sites)...
I'm with Tesco Mobile, which uses O2. Sounds like that's the problem for me - no big deal. Thanks for the info.
> I've been seeing this fairly regularly on O2/iPhone for the last month or so. Refuses to connect to the site for a few hours, then whatever it is resolves itself. It's weird if this is somehow the carrier's fault (and I haven't seen it happen for any other sites)...
Ok, thanks. A month - wow! I hope this is getting reported to O2 - I'll do my best to log a fault report.
I've seen a similar problem in a commercial network, and the root cause turned out to be a buggy firewall which was mangling certificates. No idea what's going on in the current case - but I hope O2 get it sorted out. Detailed problem reports submitted to them should help.
> Since about last Thursday, I have been experiencing the following when accessing the www.ukclimbing.com site on an Android phone via Chrome:
> 1. No problem correctly accessing the site via home wifi.
> 2. Attempts to access the site over my phone's data network result in the following error:
> "Your connection is not private ... [snip] ...
> NET:ERR_CERT_COMMON_NAME_INVALID"
> 3. By contrast, I can access www.ukhillwalking.com correctly by both wifi and the data network
1, 2 & 3 exactly the same for me, also Android phone via Chrome and my mobile data is O2
Why would the certificate be showing as invalid via O2 but valid by other routes on the same device (like a mobile device on mobile data versus home WiFi)
Is O2 "breaking" (TLS intercepting) the SSL/TLS traffic and doing a bad job? I'm used to seeing this done within big corporates, but I wouldn't want an ISP doing that!
> Is O2 "breaking" (TLS intercepting) the SSL/TLS traffic and doing a bad job? I'm used to seeing this done within big corporates, but I wouldn't want an ISP doing that!
Yeah, it's very weird. The only time I've seen this error is when I was using my PC as an internet proxy and spying on web traffic that apps on my phone were making.
Basically doing a man-in-the-middle attack, but not very well.
Phones that report the issue have no problem connecting via wi-fi or an VPN. It's only on their 4/5G network.
You were using Fiddler proxy? (It's very good, Burp Suite also). It has to be poorly implemented TLS interception. Without seeing the full details of the error causing cert it's hard to know for sure. The issue of wholesale TLS interception at ISP was being pushed (allowing that by the "DTI") roughly 10 years ago, but it got pushed back at the time.
When I've seen TLS interception (private sector) done various places, it was done well and users were kept unaware. But O2 must be clowns.
Better get a second layer of tin foil on my hat
Yeah, it was Fiddler proxy.
It could be a poor implementation of web page cacheing by O2 (or more accurately the supplier of the service they use to implement cacheing). An ISP wants to cache frequently used pages (e.g. UKC forum threads) as "close" to the page user as possible for latency & user experience benefits. Cacheing an encrypted page breaks the SSL/TLS certificate chain so users get the "Your connection is not private" message.
> It could be a poor implementation of web page cacheing by O2 ...
If that were the case, why would www.ukhillwalking.com/forums continue to work, while www.ukclimbing.com/forums is broken?
> If that were the case, why would www.ukhillwalking.com/forums continue to work, while www.ukhillwalking.com/forums is broken?
Different cert chains for the two domains?
https://venafi.com/blog/how-do-certificate-chains-work/
Different caching logic triggered by the two domains?
Have you tried browser Incognito/Private mode to access UKC?
If that works - clear browser cache and retry.
> Different cert chains for the two domains?
Both just use Let's Encrypt.
> Different caching logic triggered by the two domains?
> Have you tried browser Incognito/Private mode to access UKC?
I'll try that and report back.
> I'll try that and report back.
Just to confirm: Using 'Icognito' mode doesn't affect the result. That is, I get exactly the same results as in the OP.
FROM LAPTOP AND HOME (BT) BROADBAND
Thought I requested http2 but http1 returned, possibly an error of mine.
>curl -v --http2 https://www.ukhillwalking.com/forums/
SAME REQUEST FROM LAPTOP BUT USING MY PHONE (O2) AS MOBILE HOTSPOT
curl -v --http2 https://www.ukhillwalking.com/forums/
* Trying 13.107.21.200:443...
* Connected to www.ukclimbing.com (13.107.21.200) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
* Closing connection 0
* schannel: shutting down SSL/TLS connection with www.ukclimbing.com port 443
curl: (60) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
CHECKING REQUEST FROM LAPTOP TO GOOGLE WORKS WHEN USING MY PHONE (O2) AS MOBILE HOTSPOT
curl -v --http2 https://www.google.com/
* Trying 216.239.38.120:443...
* Connected to www.google.com (216.239.38.120) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
What if you change the DNS server to not be o2's?
Not quite sure where you're going with the verbose curl other than showing detail of the TLS negotiation, personally due to the cert warning (and having seen TLS interception) I'd be interested in the full details of the cert received which may or may not have been sent by UKClimbing.com's webserver
> curl -v --http2 https://www.ukhillwalking.com/forums/
> * Trying 13.107.21.200:443...
> * Connected to www.ukclimbing.com (13.107.21.200) port 443 (#0)
That is consistent with the other fault reports. They were getting a bing.com SSL cert sent.
That IP is Microsoft - https://whois.domaintools.com/13.107.21.200
The correct IP for ukclimbing.com is 109.108.136.253
> What if you change the DNS server to not be o2's?
I think that should fix it, 1.1.1.1 is a good DNS server.
This is a good solution for
Yes same problem using O2 and Chrome.
OK....
Phone Wifi off, O2 mobile data on, can't set dns to an IP address, however this works for surfing UKC on phone...
https://developers.google.com/speed/public-dns/docs/using#android_9_pie_or_...
Android 9 supports "Private DNS" which uses DNS-over-TLS to provide security and privacy for your DNS queries. You can configure it with the following steps.
Go to Settings ... Network & Internet ... Advanced ... Private DNS.
Select Private DNS provider hostname.
Enter dns.google as the hostname of the DNS provider.
Click Save.
Doesn't work for laptop when using phone as a mobile hotspot (still getting DNS from O2?) but that's not something I need as I just used phone as hotspot so I could do curl on laptop to test O2 mobile data.
> ...I'd be interested in the full details of the cert received which may or may not have been sent by UKClimbing.com's webserver
Not quite full details, but this is the cert a friend of mine received when seeing this same error. Obviously it's for completely the wrong domain thus chrome throwing the error.
> Not quite full details, but this is the cert a friend of mine received when seeing this same error. Obviously it's for completely the wrong domain thus chrome throwing the error.
Yes. As established above, its a DNS error with O2. Very strange - and taking a long time to clear.
> Yes. As established above, its a DNS error with O2. Very strange - and taking a long time to clear.
Months? I recall UKC not working on my phone previously, possibly before O2 took over the Virgin contracts. I wonder if it's only broken for former Virgin customers?
Laptop on BT Home Broadband, surfing UKC works
>nslookup ukclimbing.com
Non-authoritative answer:
Name: ukclimbing.com
Address: 109.108.136.253
Laptop on phone as wifi hotspot for O2 mobile data, surfing UKC doesn't work
>nslookup ukclimbing.com
Name: ukclimbing.com
Addresses: 2620:1ec:c11::200
204.79.197.200
13.107.21.200
Is there a way of tracing which DNS is in use beyond 192.168.1.254 or 192.168.43.6 local network?
Curiously when I try to force use of 1.1.1.1 or 8.8.8.8, I still get the 02 DNS when I'm using mobile hotspot.
Laptop on BT Home Broadband
>nslookup ukclimbing.com 1.1.1.1
Non-authoritative answer:
Name: ukclimbing.com
Address: 109.108.136.253
>nslookup ukclimbing.com 8.8.8.8
Non-authoritative answer:
Name: ukclimbing.com
Address: 109.108.136.253
Laptop on phone as wifi hotspot for O2 mobile data
>nslookup ukclimbing.com 1.1.1.1
Name: ukclimbing.com
Addresses: 2620:1ec:c11::200
204.79.197.200
13.107.21.200
>nslookup ukclimbing.com 8.8.8.8
Name: ukclimbing.com
Addresses: 2620:1ec:c11::200
204.79.197.200
13.107.21.200
>ipconfig /flushdns - makes no difference to O2 DNS results