It might be filtering the CRL or OCSP verification for the SSL certificate. For GoDaddy I think this would be:
http://crl.godaddy.com/ http://ocsp.godaddy.com/ http://certificates.godaddy.com/ We ran into this when OS X changed how it handles SSL a few years back, our captive portal was presenting a splash page in place of Thawte OCSP and crashing the SSL keychain process. The work-around was either to respond with a TCP RST for these requests or to allow them through. On Thu, Mar 26, 2015 at 11:57 PM, Lewis,Mitchell T. <ml-na...@techcompute.net> wrote: > Meraki Access Points are interesting devices. > > I have found they cause issues with Linux firewalls if the merakis are not > configured "correctly". > > Meraki Access Points do content inspections which I have found can cause > produce symptoms similar to yours, although I have not experienced what you > are describing. Since the MX64W is both an Access Point & security gateway, > it has some additional content inspection/intelligence for it's security > appliance role on top of the functions it performs as an access point, the > same functions which are found in Meraki standalone access points as well. > > I am not sure what the specifics are as I do not use Meraki security > appliances but it is worth checking. I have found with Meraki that items in > the control panel/dashboard are not always labeled the best so I have found > it is usually worth putting in a ticket with them and/or a call to them to > see what they think (1-888-490-0918). > > > > > > > > > > > > Mitchell T. Lewis > mle...@techcompute.net > : www.linkedin.com/in/mlewiscc > Mobile: (203)816-0371 > PGP Fingerprint: 79F2A12BAC77827581C734212AFA805732A1394E Public PGP Key > > > > > A computer will do what you tell it to do, but that may be much different > from what you had in mind. ~Joseph Weizenbaum > > ----- Original Message ----- > > From: "Mike" <mike-na...@tiedyenetworks.com> > To: nanog@nanog.org > Sent: Thursday, March 26, 2015 6:38:55 PM > Subject: Broken SSL cert caused by router? > > Hi, > > I have a very odd problem. > > We've recently gotten a 'real' ssl certificate from godaddy to > cover our domain (*.domain.com) and have installed it in several places > where needed for email (imap/starttls and etc) and web. This works > great, seems ok according to various online TLS certificate checkers, > and I get the green lock when testing using my own browsers and such. > > I have a customer however that uses our web mail system now secured > with ssl. I myself and many others use it and get the green lock. But, > whenever any station at the customer tries using it, they get a broken > lock and 'your connection is not private'. The actual error displayed > below is 'cert_authority_invalid' and it's "Go Daddy Secure Certificate > Authority - G2". And it gets worse - whenever I go to the location and > use my own laptop, the very one that 'works' when at my office, I ALSO > get the error. AND EVEN WORSE - when I connect to my cell phone provided > hotspot, the error goes away! > > As weird as this all sounds, I got it nailed down to one device - > they have a Cisco/Meraki MX64W as their internet gateway - and when I > remove that device from the chain and go 'straight' out to the internet, > suddenly, the certificate problem goes away entirely. > > How is this possible? Can anyone comment on these devices and tell > me what might be going on here? > > Mike- > -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net