Hetzner does run a (MitM) proxy in front of my server!
old.reddit.com
I created a thread about strange server behavior 2 days ago:...
  • fmstratAEnglish
    128 months ago

    Good suggestions at the bottom.

    There are several indications which could be used to discover the attack from day 1:

    All issued SSL/TLS certificates are subject to certificate transparency. It is worth configuring certificate transparency monitoring, such as Cert Spotter (source on github), which will notify you by email of new certificates issued for your domain names

    Limit validation methods and set exact account identifier which could issue new certificates with Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding (RFC 8657) to prevent certificate issue for your domain using other certificate authorities, ACME accounts or validation methods

    • pootriarchEnglish
      18 months ago

      so per wikipedia and confirmed at MDN, firefox is the only major browser line not to consider certificate transparency at all. and yet it’s the only one that has given me occasional maddening SSL errors that have blocked site access (not always little sites, it’s happened with amazon).

      i don’t understand how firefox can be simultaneously the least picky about certificates and the most likely to spuriously decide they’re invalid.