After two days of trying to solve the SSL error problem on DoH, it finally worked normally again. I use Quad9 DNS service for this feature. I also tried Cloudflare and NextDNS (free up to 300K queries) just to find out which is the shortest hop from my place.
But in the last few days suddenly the log is full of “DoH server connection error: SSL” (see image below). I temporarily moved to another service, and today I just had the chance to find out the problem.
A few month back,Quad9 deployed a new certificate which uses a new Root SSL certificate from DigiCert (see Quad9’s post on Reddit here https://www.reddit.com/r/Quad9/comments/1ebzqx0/new_quad9_ssl_certificate_mikrotik_devices_must/). Actually at the beginning of this year Cloudflare and NextDNS also deployed new certificate for their DNS services. And this caused the same issue. Here’s from the NextDNS forums:
One of our DNS edge servers was silently failing to retrieve its TLS certificate from our control plane, which led to this issue. We have rectified the problem and are now focusing on eliminating this blind spot within our monitoring. We apologize for any inconvenience caused.
So its seems this issue will go away after all (cloud) servers retrieve the proper certificate.
Meanwhile, as suggested in the Reddit’s thread, I install a new certificate for Quad9, it is DigiCertGlobalG3TLSECCSHA3842020CA1-1.crt.pem. The errors decreased but still exist. So I installed another two certificates, DigiCertGlobalRootG2.crt.pem (actually this is for Cloudflare) and DigiCertGlobalRootG3.crt.pem (as the root for Quad9). After adding these two certificates, the errors still exist but dropped drastically. Hope this help.
CODE:
/tool/fetch mode=https url="https://cacerts.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-1.crt.pem"
/tool/fetch mode=https url="https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem"
/tool/fetch mode=https url="https://cacerts.digicert.com/DigiCertGlobalRootG3.crt.pem"
/certificate/import file-name=DigiCertGlobalG3TLSECCSHA3842020CA1-1.crt.pem
/certificate/import file-name=DigiCertGlobalRootG2.crt.pem
/certificate/import file-name=DigiCertGlobalRootG3.crt.pem
SNAPSHOOT:
