cloudflare have changed the root cert?

homerouter · April 17, 2024, 6:28am

cloudflare-dns SSL cert error. -They have changed the root cert?
After many month with no DNS problem, this morning i have a lot DoH SSL errror, it started about 02:17 UTC+1
DoH server connection error SSL: ssl: no trusted CA certificate found (6)
It i check the cert at https://security.cloudflare-dns.com/dns-query, it is changed from DigiCertGlobalRootG2

After loading the new cert it all run again.

Why is cloudflare-dns just changing the cert?

patrikg · April 17, 2024, 6:36am

Thanks for reporting this.

Have you checked the validity period of the ca cert ? Maybe 5 years have passed.
Maybe the ca cert was revoked.
It’s great that you found what the problem was, but if you also can ask cloudflare them self.

normis · April 17, 2024, 6:50am

Discussed many times on the forum:
https://community.cloudflare.com/t/upcoming-certificate-renewal-for-1-1-1-1-public-resolver/594379

Yes, they did change it, and did warn users

glazaroff · April 17, 2024, 7:32pm

which cert we have to use for DoH with Cloudflare - https://security.cloudflare-dns.com/dns-query , 1.1.1.2 and 1.0.0.2 cuz DigiCert G2 doesn’t work, could you please put the link here? Are you plan to update Mikrotik doc as well?, thanks

homerouter · April 18, 2024, 7:46am

What i dont understand is today problem is back.
They again changed the root cert, now back to the DigiCertGlobalRootG2.
I see they also use the cert ISRG Root X2 from https://letsencrypt.org/certificates/
for now they change between so many cert:
DigiCertGlobalRootCA
DigiCertGlobalRootG2
DigiCertGlobalRootG3
ISRG Root X2 (letsencrypt)

For now i disabled the “Verify DoH cert” on the main router. On my CHR i have installed the 4 listed pem cert and will see in the log whats going on over the next days.

glazaroff · April 20, 2024, 3:27pm

I’ve tried with DigiCertGlobalRootCA and DigiCertGlobalRootG2 but without success. Could you please someone provide the correct certs which have to installed? Thanks

Amm0 · April 20, 2024, 4:11pm

If you count a forum posting, sure.

Cloudflare is $28B company, not Mikrotik. So sharing of certs in a forum posting without some hash (SHA256/etc) and only indica of authority being “Cloudflare Team” next to the user & going on to recommend not checking certs:

If you are pinning the certificate chain attached to the Resolver, we highly recommend that you remove the certificate pin. This will ensure that there will be no issues or downtime when the certificate renews.

This would not give me a lot of faith in them if my goal in using DoH was privacy/security. I don’t use DoH, but I’d probably trust the Swiss more and use Quad9 after reading that post from Cloudflare.

homerouter · April 21, 2024, 3:57pm

I’ve tried with DigiCertGlobalRootCA and DigiCertGlobalRootG2 but without success

Then you do something wrong. Goto: https://security.cloudflare-dns.com/dns-query
In firefox press [CTRL]+i → Security → View cert.
All of them can be found here too: https://www.digicert.com/kb/digicert-root-certificates.htm Get the .pem one…

For me all work ok again with: “DigiCert Global Root G2” and the 4 other just in case they change it again.