• caglararli@hotmail.com
  • 05386281520

SSL certificates and firewall blacklists

Çağlar Arlı      -    17 Views

SSL certificates and firewall blacklists

We have a domain, erbaharlab.com, which we have bought for our research group.

www.erbaharlab.com contains our research group website, nanospacejm2.erbaharlab.com contains a conference website and there might be other conference subdomains in the future, cdn.erbaharlab.com contains assets and uploads which we have created after Cloudflare migration with Cloudflare Pages. erbaharlab.com redirects to www.erbaharlab.com.

We have been dealing with firewall blacklists recently. We have moved our domain's NS records to Cloudflare's free plan and are making the necessary implementations.

Our current SSL certificates can be viewed from crt.sh https://crt.sh/?q=erbaharlab.com&dir=^&sort=1&group=none. In the implementation, the certificate with the common name erbaharlab.com which ends on 2024-05-09 is active for www.erbaharlab.com and nanospacejm2.erbaharlab.com. The certificate with the common name cdn.erbaharlab.com is active on cdn.erbaharlab.com.

The CAA records for the domain are automatically created by Cloudflare and cover all registered SSL certificates.

nanospacejm2.erbaharlab.com is much more important for us right now since we have to receive registration for the conference. People with some firewalls have trouble accessing the website.

Today, we were trying to reach nanospacejm2.erbaharlab.com in an institution which uses Sophos as a firewall but it was blacklisted. And we realised that when one tries to reach nanospacejm2.erbaharlab.com it is blocked. But, if one tries to reach www.erbaharlab.com first and then tries to reach nanospacejm2.erbaharlab.com there is no problem with reaching the website. The expected behaviour is being unable to reach the blacklisted subdomain.

Is there any wrong configuration with the SSL certificates, which might cause the firewall blacklisting? If there is nothing wrong with the SSL certificates, how to understand there is nothing wrong?