I have a bizarre situation accessing a site, that uses desec DNS …
Everything works perfectly, until I connect to Eduroam on any internal Faculty network. When I do, I get a certificate error that safe connection to the server is not possible and a question, if I want to allow different certificate.
That does not happen with any other site.
The issuer certificate of a locally looked up certificate could not be verified.
Issuer: FG200FT …
Unit: Certificate Authority
This is of course not desec.io.
Should I accept this Fortinet certificate?
That sounds like the network you are on is using a proxy server which decrypts and then reencrypts HTTPS traffic. Since it does not have the private key for the original certificate it uses its own certificate.
NOTE: Traffic on this network is no longer secure. There is a man-in-the-middle which can read all of the traffic that is supposed to be encrypted! This might be intentional to facilitate malware or other content scans, or it might not.
Personally I’m not a fan of systems like that, but if it is intentional then I’m sure the administrators of the network have their reasons. You should contact their IT support to verify that the the fake certificate your client sees is in fact trustworthy.
I do not see any relation to DNS (deSEC or DNSSEC) here though. When a client accesses a web server, it first uses DNS to resolve the hostname to an IP address. This may involve deSEC name servers and DNSSEC, depending on the hostname. Once the client has the resolved IP it then makes a TLS connection (for HTTPS) to the web server, which is where the proxy comes into play.
thank you very much! Ok, then I need to bug admins.
Since I do not know anything about it …
So, until I accept, the traffic is still encrypted?
The site is secured by Let’s Encrypt and I get a green light everywhere, except here.
The traffic will probably be encrypted between the source and the proxy, as well between the proxy and your client. But the proxy will have full access. If the proxy is malicious or buggy then you have a problem. Privacy and censorship may also need to be taken into account as the proxy will also see login credentials that would normally be encrypted.
This is not E2EE (End to End Encryption)!
I will try to get more answers.