I’ve been using DoH-enabled resolver on my routers with the CloudFlare server. One issue with that is that I have to import the root CA that CloudFlare uses in their HTTPS endpoint.
Well, they switched to another root cert today and my DNS broke down.
It would be great if MikroTik could just package the standard CA Certificates database. Perhaps as an installable package, to make sure it won’t affect people who prefer to not trust any third-party certificates.
same problem here, started after 20pm Riga time… on all sites “DoH server connection error: SSL: ssl: no trusted CA certificate found”
can`t find which new certificate to install, tried already 10 different but with no luck…
please share URL
Have you managed to fix this? I originally just had “DigiCert Global Root CA”, but that’s no longer the root CA they’re using. It seems like the new one is “DigiCert Global Root G2”, but importing that hasn’t fixed the issue. The date and time on the router are correct, but I still get “DoH server connection error: SSL: ssl: no trusted CA certificate found”.
Importing the “DigiCert Global Root G2” PEM from https://www.digicert.com/kb/digicert-root-certificates.htm has fixed it for me - I originally imported the whole cacerts.pem from https://curl.se/ca/cacert.pem (which does contain this certificate), but that didn’t work for some reason (it did time out whilst importing but the root certificate was in the list of imported certificates). Removing all of the imported certificates and just importing the new one is what did it for me.
I agree it’d be great if RouterOS was shipped with CA certificates (and a way to update them!), as it would avoid issues like this.
thanks, now works 
/tool fetch https://cacerts.digicert.com/DigiCertAssuredIDRootG2.crt.pem
/certificate import file-name=DigiCertAssuredIDRootG2.crt.pem passphrase=””
It’s strange, but for some reason it didn’t work for me. imported both G2 and G3
Error - “DoH server connection error: SSL: ssl: no trusted CA certificate found (6)”
The time is correct. Are there any other options?
Never trust any third party with certificates. Always download them from the source.
This one didn’t work:
/tool fetch https://cacerts.digicert.com/DigiCertAssuredIDRootG2.crt.pem
/certificate import file-name=DigiCertAssuredIDRootG2.crt.pem passphrase=””
So, it works::
/tool fetch https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem
/certificate import file-name=DigiCertGlobalRootG2.crt.pem passphrase=””
Do you make sure to download all certificates into your browser root CA store?
And honestly, at some point you have to trust somebody. After all, Mikrotik can easily include a deliberate security vulnerability in RouterOS.
I personally would be satisfied if RouterOS had a package that periodically synced root certs with Debian or RedHat CACerts packages.