Letsencrypt certs not trusted in some countries

[mvexel]

Folks from Iran are telling me that they cannot access MapRoulette.org due to restrictions on internet access.

They suggest that the site itself is not censored but the Letsencrypt SSL certificate causes the problem.

Is there anything we can do to mitigate this? Is this related?

[Sosha1996]

hi @mvexel first i say my english writing not good, so please forgive me...

Is there anything we can do to mitigate this? Is this related?

- no. if you not government or related, there any problem.

In this case, iranian user used "Lets Encrypt Certificate" in website or anti filter(OpenConnet, Shadowsocks, Streisand Script and etc.). Therefore, the Iranian government has imposed restrictions on "Lets Encrypt Certificate"; This action will make users unable to bypass censor. so, the only solution is to use the filter breaker(Tor and etc.)

i used this script and check maproulette website, this is result: we have to load http://maproulette.org but "http" redirect to "https" and our problems begin...

please try "comodo" certificate from "Cloudflare free plan".

[TahmasbiOSM]

Hi @mvexel I'm the one who send an email to you the details of why this problem occurs is rather hard and complex. to put it simply, just like my friend @Sosha1996 said, because LetsEncrypt is a free services some Iranian users use it for their proxy websites, so the government put some restriction on it

not that all of the websites using LetsEncrypt is restricted here, for example openstreetmap.org which is using LestEncrypt too and we don't have any problem with it

we hope you could change the cert or enabling http (which is not a good idea...)

also I can send wiresharks captured packets if you wanna investigate the problem yourself

thanks

[mvexel]

Short of switching certificate providers, another thing we could consider (as @TahmasbiOSM suggested as not a good idea :) is creating a subdomain like insecure.maproulette.org that serves the application over non-SSL http, for those who can't work with the letsencrypt certificates?

[Sosha1996]

Today my attention was drawn to map roulette IP address. your server is Digital Ocean.

A few months ago, Digital Ocean restricted IP addresses of Iran.(ban 5 country)

A few minutes ago, I spoke to my friends, and they confirmed Iranian government has imposed restrictions on the digital ocean

so as I said before, cloudflare is the solution to this problem.

please use Cloudflare.

[TahmasbiOSM]

Dear @Sosha1996 the DigitalOcean didn't restrict Iranian users, just the ones that want to buy a service from them, It means you cant buy anything from them. and also we don't have any problem communicating with maproulettes server ip address (198.199.72.41) you can ping that or even access that with your browser

@mvexel I think it's better to use that insecure subdomain you suggested, just to be sure if its cert problem or server restriction

[TahmasbiOSM]

yesterday I scanned the IP range of maproulette.org (198.199.72.1-198.199.72.255) to find other websites hosted by Digital Ocean to see if we have problem accessing them or not

https://www.topoptin.com uses sectigo cert https://rbisportsinc.com uses LetsEncrypt https://cdtdevserver.net uses LetsEncrypt we have the same problem with these website just like maproulette.org

and I found two websites that use https and we have access to them and one of them uses letsEncrypt :|

https://ons.prometdev.com comodo https://www.hi-tech.com.eg letsencrypt well, I'm confused af

@mvexel there is this possibility that digital Ocean is behind this, please open a support ticket and ask them if they restrict Iranian users

[Sosha1996]

i repeat again, cloudflare is the solution to this problem..

good luck.

[mvexel]

Someone in the community who wants to help with this?

[Sosha1996]

All you have to do is register in cloudflare. use free plan.

but i adding maproulette to cloudflare. First, please remove these nameserver from maproullete domain.

ns-74-a.gandi.net
ns-77-b.gandi.net
ns-149-c.gandi.net

second, add brenda.ns.cloudflare.com in nameserver1. and add glen.ns.cloudflare.com in nameserver2.

please see ths image:

[Sosha1996]

ping @mvexel

[Sosha1996]

hi @mvexel, We still have a problem in iran. do you think can use Cloudflare CDN?

We would love to participate in the Maproulette site...

[mvexel]

Hi, I would be happy to help if I can, sorry it took me forever to respond to this.

I just registered the maproulette.org domain with Cloudflare and changed the DNS entries on the registrar site. Could you re-check please?

[mvexel]

I think we fixed this, please re-open if that's not correct.