Jump to content

Letsencript/certbot confusion

TMCsw

By TMCsw
in Non-Emby General Discussion

 Share
Go to solution Solved by Q-Droid,

Recommended Posts

TMCsw

TMCsw 246

Posted
Posted

I switched my nginx version to mainline and forgot to install the certbot plugin, so of course the certbot update failed..
I fixed the problem but what I now what I see is strange... 
this: 

root@Inet~/bin certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: <redacted>.com
    Serial Number: <redacted>
    Key Type: RSA
    Domains: <redacted>.com
    Expiry Date: 2024-09-06 22:56:44+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/<redacted>.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/<redacted>.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

and this:

image.png.de9bd30a6824568f32939387f60e26db.png

So why do the browsers say the cert is good for 1 year and certbot says 3 months?
Also why is NordVPN the issuer? NordVPN is not and has not ever been installed on my internet ('Inet') server...
Although when i renewed this manually I was ssh'ing from a win 11 VM (with NordVPN enabled) on Proxmox to my Debian internet ('Inet') server...
...Internet searches gave me no clarity so I thought I'd ask here...😁

Q-Droid

Q-Droid 989

Posted
Posted

That looks like the image captured was going through an outbound security proxy inspecting traffic, basically MITM.

 

  • Like 1
TMCsw

TMCsw 246

Posted
  • Author
Posted
10 hours ago, Q-Droid said:

That looks like the image captured was going through an outbound security proxy inspecting traffic, basically MITM.

I guess that's possible but this only happens on the Win 11 VM every other VM or computer/device gets the proper date and says it let's encrypt (all are hardwired, except of my phone and tablet). Also this happens regardless of NordVPN installed/on/off.

  • Solution
Q-Droid

Q-Droid 989

Posted
  • Solution
Posted

Right. Because it's not your Emby server but your Windows VM (client) doing this. If you are using NordVPN you probably have some other Nord security product enabled in that VM functioning as a forward proxy traffic inspector.

Maybe you still don't understand so I'll explain but you might not like it. The Nord Threat Protection that is doing this (or some other component. I don't know - don't use it)  intercepts the outbound connections you initiate, does TLS termination and establishes a TLS connection with your original destination. So your HTTPS/TLS traffic is in clear text and visible to this component. Now this might not work with all sites and some well known ones could be considered secure and excluded. This is the man-in-the-middle (MITM), machine-in-the-middle or the current sensitive, inclusive and politically correct iteration - On-Path. Very common in the enterprise where you can see that sites are not presenting their own certs but ones issued by a security appliance and/or internal corporate CA. I wouldn't ever use something like this on my private network unless I had one that was home grown, fully managed and trusted by me. In the corporate world that's different because it's their network. I guess NordVPN could pinky-promise that they would never ever do something shady with your data.

 

 

  • Thanks 1
TMCsw

TMCsw 246

Posted
  • Author
Posted (edited)
2 hours ago, Q-Droid said:

The Nord Threat Protection that is doing this (or some other component.

Thanks, now I see that Nord on windows leaves the 'Threat protection/Web Protection' on even if you disconnect the VPN.

I should know better then to use windows...😉

Edited by TMCsw

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...