04-25-2019 12:20 AM
Other commenters saying that logging in on MacOS worked made me think to try using Safari on Windows, and that finally did it.
Chrome, Firefox, and Edge all had the looping problem of returning to the warning page after allowing the risky certificate, but Safari took it like a champ and sent me right on down to the login page, finally, after weeks of trying over and over to no avail.
Download Safari 5.1.7 for Windows (google it) and try it for yourselves, and maybe one day soon this workaround won't be necessary.
04-27-2019 12:49 PM
Yeah, there's nothing inherently wrong with what Verizon tried to do here, let's get that right. Forcing users through a secure link is nothing but a good thing, at least as far as intentions go - implementation and proper testing is another issue though.
All that said, I echo what others are seeing: trying to advance past the invalid cert page just loops back to it. That happens in the latest version of Chrome, Firefox, Edge, and Opera on Windows 10. Even if I explicitly export and then import the cert to trust it, even if I trust the intermediate authority, none of it matters. Clearing cookies and cache and all that makes no difference, as I would expect (but I gave it a shot anyway). It DOES work from my iPad or my Android phone or my Mac, but apparently no browser on Windows (I didn't try Safari).
However, in my case, I finally did find the issue, and I wouldn't be surprised if this is the root cause for a lot of people and would also explain maybe why Verizon's test team couldn't replicate it, so Verizon support folks, you'll want to add this to your support scripts...
For me, the problem was my system protection suite. More specifically, the SSL/TLS scanning option that was turned on in ESET Internet Security.
The way I discovered this is that when I viewed the invalid cert on the error page in Chrome by clicking the error it displays (NET::ERR_CERT_COMMON_NAME_INVALID most likely), which there is no indication you can do, but you can, and then noticing that the Subject is GreenWave Systems as you'd expect, but for me the Issuer said ESET SSL Filter CA.
Woah, what?! This is a self-signed cert, so the CA should be GreenWave too!
Did Verizon screw up generating the cert? That's what I thought at first, but a second or two later I realized "wait, if they did, why the hell would they sign if with an ESET issuer?"
Doh! -I- run ESET Internet Security on my machine! So, it instantly occurred to me that no, they didn't screw up, my protection did!
The way ESET does SSL/TLS scanning is munging the cert in such a way that it runs afoul of changes to the way browsers handle certs with regard to common names. I suspect ESET maybe be inserting its own cert or something along those lines so that it can intercept that traffic to scan it. I'm not sure of the exact mechanism, but something along those lines makes sense.
So, after turning off each protection option in ESET, I finally got the login page to my router to come up. Eventually, after turning each option back on in turn, I finally arrived at the SSL/TLS Protocol Filtering option under Web and Email in advanced options. Turning it off results in being able to get through the invalid cert page (and, as expected, the Issuer then shows as GreenWave), turning it back on causes the infinite loop to come back.
Now, as for how I fixed it, since keeping that scanning off isn't something I want to do, under the SSL/TLS section in the options for ESET, there's a List of known certificates option with an Edit button. Visit the gateway page first, then click that Edit button. Somewhere in there are TWO GreenWave certs, one with ESET as the issuer and one with GreenWave. For BOTH, I had to Edit them and select Ignore as the Scan action. As soon as I did that, all was right with the world: I can access the gateway with any browser, no problem. I DO still get the invalid cert warning page, but as others have said, that's completely expected and not an issue. Click through that and I'm good to go.
Hopefully, this helps someone... I don't know if ESET is the common theme or if other protection software will have a similar issue (I would guess yes if they do similar protocol scanning and implement it a similar way).
Verizon techs, I would suggest spinning up a VM with ESET Internet Security installed and fully active so you can confirm my findings. I'm not seeing a way you could avoid this problem that doesn't involve customers changing the config in their protection software, but at least if you confirm it you'll have a handle on the issue, at least for some subset of those having this problem (and maybe everyone).
04-27-2019 10:04 PM
04-29-2019 07:05 AM
Hey, everyone -- maybe Verizon's self-signed certificates are causing other problems in Win 10 PCs. If you have a Winn 10 PC, please go to my new thread on this forum
05-18-2019 07:15 PM
I have the same issue- Accept risk get sent back to warning. I already reset browsers, cleard cache, history and cookies.
Here is the info i see-
https://myfiosgateway.com/ The server uses a certificate with a basic constraints extension identifying it as a certificate authority. For a properly-issued certificate, this should not be the case. HTTP Strict Transport Security: false HTTP Public Key Pinning: false Certificate chain: -----BEGIN CERTIFICATE----- MIIDuDCCAqCgAwIBAgIQAQolXD9s0LdF+L8FFHIDJjANBgkqhkiG9w0BAQsFADBI MRswGQYDVQQDExJFU0VUIFNTTCBGaWx0ZXIgQ0ExHDAaBgNVBAoTE0VTRVQsIHNw b2wuIHMgci4gby4xCzAJBgNVBAYTAlNLMB4XDTE1MTAwMjA1NDk1OFoXDTI1MDky OTA1NDk1OFowgaQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMQ8w DQYDVQQHDAZJcnZpbmUxGjAYBgNVBAoMEUdyZWVuV2F2ZSBTeXN0ZW1zMQwwCgYD VQQLDANQS0kxGjAYBgNVBAMMEUdyZWVuV2F2ZSBTeXN0ZW1zMSkwJwYJKoZIhvcN AQkBFhphZG1pbkBncmVlbndhdmVzeXN0ZW1zLmNvbTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAMk7pR8IO477ypmRKu61Lkcex6IYpzf9d3ADl9IeR+4e Au7Ayj/Bym1X9O2et5NAxXgQhaRj+TZX/7QqZOG0G9HcQsGJAJY3IUUllxH3x1Vn cT2uEXgq5zI/utaotYLFWw4AvsIN+e+Z3K9Lui5n3XyB6cIqE8uYlEGc7bM5w/zr IH1LqZm9w4RUvghkHCdUkVqbmLWerUrmd4jaFpAzDaiBtZ3hOJLh979plNEnySvm lkUrWRz6EceKGwUB2c5QsLovlNZpPhgLoIPukYjzOiKhGN4vovK7noSvUlkX/TMu sTDI5VBgQvleKB26Kvk9jxD/JmYOuiY66yAAZ5S8pJUCAwEAAaNBMD8wDAYDVR0T BAUwAwEB/zAOBgNVHQ8BAf8EBAMCBaAwHwYDVR0jBBgwFoAUzDnZHi+Yj82W8ORl OiyD//d5d/kwDQYJKoZIhvcNAQELBQADggEBAEIkUN+o4yu14iwNX3R86HVrmf6H t9DLki2iUfbhpUIlV5cEctOzJPnjTp14QGjNkvkP8K7XPloHmuVObmKJ0MnxZX+S vZq+I9UbiFjgcN4+R/MrytBQRA/czMhjyvxqA6tPM+Ay+8k6PdqH1t4cuLyw860z WRxBaPIBON5V3efR30HAJxj3AL4hVmbd6D+IZ2dq8SUnRWcqsZkMjfrhJBNtEVbP itV9L4Ng+FAaUQJ8kTv9C/tOFSBfXHIwiIQtjvYFASz1SqW+gVtFDY63NEQKnqip anyEHRhufzxuEGhDOnI8mXI6WQRE+11CIg7AHAvvd0NcGTm+1mp7RZ7zmzQ= -----END CERTIFICATE-----
In my 4th hour today trying to fix this very issue. One terrible on-line tech who said he couldn't replicate the issue even though I watched him replicate it; then he ghosted me. Tech phone said he knew about the problem and was transferring me to someone who knew how to deal with it - yet the poor person was password and log-in reset. Have been on hold for an hour waiting for a tech supervisor. Have no hopes anyone will pick up the line.
Hope this is the way to post.
This is a known issue with Verizon which I did not know until I bought a new FiOS router.
It seems that the certificate on the router is not acting the way it should be. When logging into it from the https://myfiosgateway.com. All of my browsers blocked the page because it was unsafe. So of course, I selected to proceed to the unsafe site being that it was my router. I clicked it and nope still unsafe not allowed. Phone call to support and they take over system and no joy. They never told me to turn off any protection (ESET). They told me that the router was not respounding and that it needed to be replaced. Since I had bought it in 2015 I figured it needed to go.
Got new one and SUPRISE same problem. Back on the phone (this time with a very condescending support person who felt that I was the dumbest human he had ever spoken to.) to inform them that I still had the same problem even with the new router. After 20 mins of listing to support telling me nicely how stupid I was, he explained that it was a known glitch and Verizon was working on it. No offer to take new router back by the way.
With the new router installed, I figured there had to be a work around. Once I turned off the SSL/TSL protection feature in ESET it worked full access to the new router. The problem now I have the SSL turned off “NOT GOOD”! Looking around I found a fix to the glitch. At least with ESET not sure if it will work with other services.
In the advanced setup in ESET under WEB and EMAIL section go into the PROTOCOL FILTERING option and exclude the IP address. and turn on the SSL/TSL protection. This worked. Hopefully Verizon will figure out the certificate glitch. This worked for me and I hope it helps. Let me know if it did. Thanks
07-20-2019 02:15 PM
All good info, however, i'm not a techy, and I use solely MACOS & Safari, and still cant get access. So how do I? Thanks.