Getting wrong SSL certificate of public website

[massa]

Hi all,

I have an iobroker instance running on a raspberry behind my opnsense. Unfortunately I am not able to update my adapters as I always get the following error:

Code Select Expand

ERR! code ERR_TLS_CERT_ALTNAME_INVALIDnpm ERR! errno ERR_TLS_CERT_ALTNAME_INVALID
npm
ERR! request to https://registry.npmjs.org/iobroker.hm-rega failed, reason: Hostname/IP does not match certificate's altnames: Host: registry.npmjs.org. is not in the cert's altnames: DNS:a.sni.fastly.net, DNS:a.sni.global-ssl.fastly.net

When I access https://registry.npmjs.org/iobroker.hm-rega from my usual LAN network via my notebook I get an SSL warning as well.
When I switch to my guest WiFi (also running through OPNsense in a dedicated VLAN) I get the correct SSL certificate and no warning when accessing the website.

I use a TP-Link router flashed with openwrt as an access point and LAN Switch!

What could be issue here? Any ideas?

[fabian]

Your dns or your proxy is pointing to the wrong IP address. I would check the host with curl - v url where it is pointing to and what the DNS should point to.

[massa]

I use Pi-Hole in my LAN which is pointing to opnsense wherefrom unboundDNS should forward DNS requests to my ISPs DNS servers. This setup works totally fine without the mentioned website...
I don´t really get where the problem could be? Wouldn´t I get SSL warnings for all websites then?

But you are right - there is the difference between my LAN und Guest net as Guest clients just get my ISPs DNS servers via DHCP and not the Pi-Hole.

UPDATE: When I manually set my notebook's DNS to my ISP's servers it works fine but running through Pi-Hole --> OPNsense --> ISP DNS it returns the wrong certificate. I just don´t get why this only happens for this specific site?
I also found out that I only have the issue with the subdomain https://registry.npmjs.org/
https://npmjs.org works fine!