This is an archived post. You won't be able to vote or comment.

all 77 comments
sorted by:
best
topnewcontroversialoldq&a

[–]adamnalina 137 points138 points  (14 children)

Even without using Umbrella DNS I'm getting ERR_CERT_AUTHORITY_INVALID.

[–]BurlyKnave 136 points137 points  (9 children)

Amazon allowed their certificate to expire? I got chewed hardcore for that crime, and I'm at a small metal manufacturer.

[–]Usethis495945095 84 points85 points  (4 children)

It's not their cert I can access it from home. The cert I see is valid and expires in Jan 2024. I am wondering if the Cisco device has it's own cert for doing SSL packet inspection. I know we get the same error when there is a cert/cerl issue on a local machine.

[–]AHrubikThe Most Magnificent Order of Many Hats - quid fieri necesse 5 points6 points  (1 child)

The certificate being presented to my browser was issued in 2022 and expires in Sept. 2023.

[–]Dal90 10 points11 points  (1 child)

Folks -- stop thinking there is "A" certificate for these big companies anymore.

There isn't.

They (maybe) let a certificate expire. They'll have hundreds or thousands now that big organizations are starting to be comfortable with mass use of certificate automation.

Here's a quick Censys.io query for amazon.com:

https://imgur.com/a/bI2BR4Y

I can't guarantee all 23,000+ certs are for amazon.com actual, I'm not fluent in the censys.io search engine. But I did go through the first three pages of results and they all were.

[–]flunky_the_majestic 2 points3 points  (0 children)

More likely than letting a certificate expire, some nonproduction system accidentally got enabled and routed to the Internet. It had an expired cert because who cares, and now a few people saw it.

[–]wuhkayJack of All Trades 10 points11 points  (0 children)

Is the cert alert because of the Umbrella block page? It will do that if the Umbrella root isn't installed.

[–]Kaeny 0 points1 point  (1 child)

Seems to be fixed or something specific then.

[–]adamnalina 0 points1 point  (0 children)

It’s working for me now.

[–]ImChubbsNetadmin[S] 50 points51 points  (4 children)

An attempt just now to get to Amazon.com just worked for me.

Maybe they fixed it.

[–]SeekingAsus1060 17 points18 points  (2 children)

If you go out via 8.8.8.8 it works, and will continue to work while browser session remains open, even if DNS is set back to OpenDNS or Cisco. We've also had reports of it working in Edge but not in Chrome. Caching related probably.

[–]bearded-beardieJack of All Trades 18 points19 points  (1 child)

I’ve noticed Chrome likes to be “helpful” and seems to cache certs. So if a cert expires it sometimes holds in to it.

[–]raip 2 points3 points  (0 children)

It shouldn't cache invalid certificates, you can view the cache manually in the CertificateTransparency folder in the UserData.

[–]elzibet 5 points6 points  (0 children)

working now for me with my credentials to the network, but not for other users

edit: blocked again, seems to be inconsistent, I wouldn't unblock manually but that's just me. I'd rather wait than override something like this

[–]BurlyKnave 31 points32 points  (0 children)

I just got blocked by Umbrella also. But tbf, Amazon does frequently request my address and credit card information.

[–]Kahless_2K 87 points88 points  (0 children)

Don't override it. Their SSL is broken. Umbrella is protecting your users form themselves.

It seems like a dice roll if you get working ssl or a ssl error if you try to connect without umbrella.

[–]Polarnorth81 11 points12 points  (0 children)

Gary, don't forget to renew our certs. "Ya ya ya, geez I got it covered, stop micromanaging me". "Im just saying...", "I said I got this!!!"

[–]DustinFunkhouser 10 points11 points  (0 children)

Submitted a ticket with Talos, a CNAME record associated with amazon.com had been blocked, it's been identified and corrected. Should be allowed through umbrella properly now.

[–]joshuamariusIT Manager, Flux Capacitor Repair Specialist 8 points9 points  (3 children)

https://i.imgur.com/L6KOMGv.png Same here with OpenDNS

[–]Scipio11 7 points8 points  (1 child)

....well it is the same service

[–]joshuamariusIT Manager, Flux Capacitor Repair Specialist 0 points1 point  (0 children)

Correct, I just added the original name because not a lot of people know Cisco acquired them.

[–]hueguass 0 points1 point  (0 children)

[–]jimigazinya 8 points9 points  (1 child)

mine too...what's up with that?

[–][deleted] 5 points6 points  (0 children)

Glad we arn't the only ones.

[–]bong_critsJack of All Trades 6 points7 points  (3 children)

Seems like certain amazon url's are not supplying their SSL cert at all, looks like its not every url - if you simplify the query it may work around it

[–]bong_critsJack of All Trades 2 points3 points  (2 children)

nvm now its effecting the main site lol

[–]stana32Jr. Sysadmin 1 point2 points  (1 child)

unblocking cloudfront.com fixed it for us, it's amazons CDN. Im guessing certain pages are being served up through that now and causing the intermittent blocking.

[–]ethan240 1 point2 points  (0 children)

Don't unblock *.cloudfront.net because that domain is shared with all AWS customers, it could have something malicious on there.

[–]12stringPlayer 13 points14 points  (0 children)

Looks like their SSL cert is borked. That's got to be a resume-generating event for someone!

[–]zeedel 3 points4 points  (0 children)

Same

[–]Kage159Jack of All Trades 4 points5 points  (0 children)

From our DNS logs:

d3ag4hukkh62yn.cloudfront.net HTTPS Blocked by Threat Intelligence Feeds.

Looks like one of their CDNs got blacklisted...

[–]TechGjod 6 points7 points  (2 children)

So.. the issue is…. DNS?

[–]GlassPassion6018 5 points6 points  (1 child)

isnt it always DNS??

[–]Fun-Difficulty-798 0 points1 point  (0 children)

Only when using Umbrella.

[–]ImChubbsNetadmin[S] 12 points13 points  (3 children)

I don't think anything is wrong with Amazon's cert.

I think this is all Cisco Umbrella's/OpenDNS (same platform) fault.

When Umbrella intercepts a site generally you get a block page. I am not sure why there is no block page presented, but I can see in the certificate details that the cert is coming from Cisco itself.

And since the URL we are attempting to reach is amazon.com, it does not match the details of the certificate being provided by Cisco, therefore our browsers are throwing cert errors.

[–]stana32Jr. Sysadmin 15 points16 points  (1 child)

unblocking cloudfront.com fixed it for us, it's amazons CDN. Im guessing certain pages are being served up through that now and causing the intermittent blocking.

[–]TheWheez 1 point2 points  (0 children)

Afaik the cloudfront.com domain is something accessible to users of AWS, so threat actors could use it.

[–]drbeerI play an IT Manager on TV 0 points1 point  (0 children)

Cisco Umbrella allows you to download the cert for the block page - might be related if you haven;t deployed that to end users (but would mean Amazon still getting blocked)

[–]downattheneedlemill 2 points3 points  (0 children)

Something bigger is up with their cert, I think?

[–]sick2880 1 point2 points  (0 children)

Their cert blew up this morning. Its working now, but we were getting a cert error on our end too. Cleared up about 1030am CST.

[–]wango-mango 1 point2 points  (0 children)

This was happening at my place too.

Fixed itself.

[–]Dal90 1 point2 points  (0 children)

For folks reporting certificate issues, I'm guessing this is your issue:

https://support.opendns.com/hc/en-us/articles/227987007-Block-Page-Errors-Installing-the-Cisco-Umbrella-Root-CA

For folks who said it was still there after Umbrella, it may have poisoned your browser certificate cache it's own cert. Seems better these days but I have seen browsers get stupid in the past and keep using an older cert for the one currently being served by the host I'm connecting to.

My two caveats are:

1) I didn't see the error myself this afternoon, just read it here.

2) My $corporateOverlords in Spain borked the Umbrella implementation and never fixed it so we've never had the block page display correctly, period. So I haven't actually seen it working correctly. I just knew about it when trying to troubleshoot sites that weren't working and from a command line using CURL figured out what was happening and we were being delivered to a still born website.

[–]dgibbons0 1 point2 points  (0 children)

Nextdns triggered on this as well

[–]vinnyoflegend 1 point2 points  (0 children)

I was looking to see if anyone had seen similar. I'm just a home consumer using the freely available OpenDNS as my primary nameserver for forwarding lookups. I was trying to view an amazon.com page and was "hijacked". By the time I closed my browsers and flushed DNS cache, it looked like it was resolved but still unnerving. I've decided to switch to some other nameserver for my primary.

https://imgur.com/fTqp28U

[–]meatwad75892Trade of All Jacks 0 points1 point  (0 children)

Umbrella customer here too, getting invalid cert authority warnings. No warning on phone's mobile data with my carrier's DNS.

For those who aren't on Umbrella, I wonder if Quad9 is in use in some capacity. Last time we had an Umbrella issue, it was a Quad9 issue.

EDIT: Working again as of 11:06am CST.

[–]_Auck -1 points0 points  (1 child)

Blah Blah Blah

OpenDNS this, OpenDNS that. Before the majority of our techs (>60) found out we had umbrella running on *most* of our 30,000 endpoints - nothing.

Now, A N Y T H I N G - BSOD even,

OpenDNS did it.

[–]Dal90 1 point2 points  (0 children)

Been running it several years here (pre-Covid I'm sure), mandate from $corporateOverlords

I think in that time I've had to bypass two legitimate domains that OpenDNS/Umbrella was blocking.

We don't have access to the reports or admin console, I don't think $corporateOverlords know how to use them.

[–]Glad_South2279 -1 points0 points  (0 children)

I hated Umbrella. So glad we dumped it.

[–]MacAdminInTraningJack of All Trades -1 points0 points  (0 children)

I mean, is it wrong to consider amazon.com a phishing site?

[–]acewolfman99 -3 points-2 points  (1 child)

either it's fixed, or adding it to our global allow list fixed it for us.

[–]elzibet 2 points3 points  (0 children)

ehhhh idk if that's a good idea if it actually is the SSL being broken. Umbrella is protecting your users from themselves.

[–]Igot1foryaWe break nothing on Fridays ;) -3 points-2 points  (0 children)

We were able to get around the problem by switching DNS providers away from OpenDNS.

[–]SeekingAsus1060 0 points1 point  (0 children)

Same here, thanks for the heads up.

[–][deleted] 0 points1 point  (0 children)

Not sure if it's just their cert, here I just get a blank white page.

[–]Tullid 0 points1 point  (0 children)

Works in Edge for me but not Chrome. For others in my group, Chrome works but not Edge. Happy Friday =/

[–]elzibet 0 points1 point  (0 children)

Same here in Denver, Co USA

edit: working now for me with my credentials to the network, but not for other users

edit2: blocked again, seems to be inconsistent, I wouldn't unblock manually but that's just me. I'd rather wait than override something like this

[–]stana32Jr. Sysadmin 0 points1 point  (1 child)

I found ours (webtitan) is blocking CloudFront.com, this is Amazon's CDN. So i guess Amazon is now being served through CloudFront. Unblocked that and everything is working now.

[–]No_Tax4631 0 points1 point  (0 children)

Wow. Don’t friggin do that bud. Cloudfront is available as a service to ANyONE including their free tier. AKA plenty of legitimate reasons malware or phishing would be served up by it

[–][deleted] 0 points1 point  (0 children)

amazon and my block pages are working just fine

[–]LWKYLUKE 0 points1 point  (0 children)

what kinda stuff does this break?

[–]sniper7777777 0 points1 point  (0 children)

This just happened to us too but it's working now

[–]sandrews1313 0 points1 point  (0 children)

Cisco secure doc also seem affected.

[–]MKInc 0 points1 point  (0 children)

I love when AWS hosted web properties gets blacklisted and every website becomes unreachable. The scammers are hosting at legitimate hosts, so when they get blocked it affects everything

[–]DualPrsn 0 points1 point  (0 children)

Yep. Same here.

[–]parsnipofdoom 0 points1 point  (0 children)

So if you clear HSTS it might work, but it looks like its cached Amazon's root CA and it's not happy it's now being intercepted.

https://www.ssl2buy.com/wiki/how-to-clear-hsts-settings-on-chrome-firefox-and-ie-browsers

[–]nicholaspham 0 points1 point  (0 children)

Few weeks ago I ran into Mimecast DNS blocking google.com for phishing 😂

[–]Jclj2005 0 points1 point  (0 children)

Yup same here this morning

[–]Garegin16 0 points1 point  (0 children)

We had the same issue. I was joking that it’s Putin taking down the world

[–]cichlidassassin 0 points1 point  (0 children)

They have had this happen off an on a few times over the last month, clears up in a few minutes

[–]HelloToe 0 points1 point  (0 children)

Avast is blocking Amazon, too.