doh server connection error network is unreachable over DNS 1.1.1.1

01K · Tue Jan 09, 2024 10:23 pm

Hello,
Pardon me, I must confess, that I'm a total noob in network configuration.
Today I encountered this error:
"doh server connection error network is unreachable"

A friend of mine has configured the MikroTik for me to use it with the 1.1.1.1 DNS a year ago.

Fortunately, I've two backups: one pre "1.1.1.1" configuration and a second with this config.
So, I was able to restore the first one and make sure that the problem was with DNS connection.

I've tried to google this problem, I saw that there are two main problems:
no system time set and no certificates are acquired.
But my system configuration pulls them both:

sert.jpg

time.jpg

I could post part of my configuration, just tell me what to display.

Thanks!

KotJulian · Tue Jan 09, 2024 11:50 pm

I just experienced a DoH problem as well. The logs were saying "DoH server connection error: SSL: ssl: no trusted CA certificate found (6)"

I had to download a new DigiCert Global Root CA certificate (valid until 2038) and upload it to my Mikrotik to fix it.

Wed Jan 10, 2024 12:35 am

I'm glad to know it's not just me. I ended up temporarily turning off the "Verify DoH certificate" option, which let me connect to https://security.cloudflare-dns.com/dns-query — corresponding to 1.1.1.2, not the unfiltered 1.1.1.1 service — then use my browser's certificate inspection tools to download the full-chain PEM file for that site.

Uploading that to the local DoH caching resolver and installing it fixed the symptom, allowing me to turn DoH cert checking back on.

It may also be relevant that I went in and cleaned out the old CA certs first. I can't go back and re-check it, since I deleted the old PEM files, too.

edyatl · Wed Jan 10, 2024 2:46 am

Recently, I also encountered an issue with the DoH (DNS over HTTPS) server connection error on my hAP AC3, specifically using the Cloudflare DNS service (1.1.1.1). After some investigation, I discovered a temporary fix that involves replacing the deprecated DigiCertGlobalRootCA.crt.pem certificate with the DigiCertGlobalRootG2.crt.pem certificate.

However, I'm concerned that this may only be a short-term solution. Cloudflare has alerted users that DigiCert will soon be removed as a CA from their pipeline.

To address this, I'm reaching out to the community for assistance. Are there alternative and more permanent solutions that you can recommend?

For reference, the temporary fix involves replacing the certificate using the following link: https://cacerts.digicert.com/DigiCertGl ... G2.crt.pem

My settings:

> /ip/dns/print                              
                      servers: 
              dynamic-servers: 
               use-doh-server: https://1.1.1.1/dns-query
              verify-doh-cert: yes
   doh-max-server-connections: 5
   doh-max-concurrent-queries: 50
                  doh-timeout: 5s
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
      address-list-extra-time: 0s
                   cache-used: 104KiB

Commands:

/certificate/print;
/certificate remove [ find ];
/certificate import file-name=DigiCertGlobalRootG2.crt.pem passphrase="";
/certificate/print;

I appreciate any insights or guidance the community can provide. Let's work together to find a robust and enduring solution.

Thanks in advance.

Wed Jan 10, 2024 9:56 am

Are there alternative and more permanent solutions that you can recommend?

In principle, these root CAs are supposed to have decades-long lifetimes, close enough to "immortal" for devices with a support lifecycle in the 5-10 year range.

Alas, every now and then, someone decides to retire a root CA for some reason, and we all have to cope somehow.

We can talk about ways to automate the replacement of the root CA, but that's not trivial, particularly in a case like this where if you wait until after it happens, you have no DNS, and how do you pull new certs without DNS?

Ideally, there would be warning that we all got, which gave us time to go out and get new certs before the changeover, but nobody told me Cloudflare was changing this. If they did preannounce it, I wasn't watching where they posted it, and I'm certain I wasn't alone.

If instead they had to do it in secret with no warning for some dire security reason, we're all back in the soup.

That's the situation. Which path out of the tarpit do you propose?

Wed Jan 10, 2024 9:58 am

Tangent is right. Unless it is expiry, there is no real protection against this. CF messed up this time.

01K · Wed Jan 10, 2024 12:31 pm

Hi, folks
So does it mean, that this error comes from the Certificate side?
And my attached "sert.jpg" is not accepted as valid anymore? It's written, that it's valid for 9131 days.

Wed Jan 10, 2024 8:39 pm

That certificate has been abandoned (Cessation Of Operation)

That's useful to know, but what would be far more useful is if we all had a channel we could monitor that would warn us of this in advance. Plainly a lot of us missed your November post. I think we want something a bit more in the "whirling lights and sirens" vein for a pending problem like this one.

Wed Jan 10, 2024 9:34 pm

I know, that's why I said, there is nothing automatic you could do to prevent this from happening. Cloudflare changed the certificate, it did not expire.
You as the operator are responsible to keep your certificates in the router valid and up to date. MikroTik did not provide you this certificate, you got it from somewhere.

MTNick · Thu Jan 11, 2024 12:25 am

Hello everyone. Here are the certs for Cloudflare obtained today. Unable to attach them, here's a link to g-drive

Link Removed

If you need help/direction setting it up, follow what wfburton said: Cloudflare DoH working viewtopic.php?t=201784

Thu Jan 11, 2024 8:40 am

NEVER get certificates from 3rd parties, downloading stuff like this from anonymous user google drive is very dangerous.
Do what the DNS documentation tells you to do. Go to the address you configured as your DoH address and download certificate from your browser, by clicking on the padlock icon
https://help.mikrotik.com/docs/display/ ... HTTPS(DoH)

edyatl · Thu Jan 11, 2024 10:50 am

Hi, folks
So does it mean, that this error comes from the Certificate side?
And my attached "sert.jpg" is not accepted as valid anymore? It's written, that it's valid for 9131 days.

Yes, it seems that the error is related to the certificate. Cloudflare has deprecated the DigiCert root certificate, and this might be causing the issue you're experiencing.

As a temporary fix, you can try replacing the deprecated DigiCertGlobalRootCA.crt.pem with the DigiCertGlobalRootG2.crt.pem certificate. This seems to resolve the problem for now.

However, keep in mind that Cloudflare has indicated that DigiCert will soon be removed as a CA from their pipeline. So, while the temporary fix might work, it's advisable to look into more permanent solutions.

01K · Thu Jan 11, 2024 12:34 pm

Pardon me, thisis complicated for me to understand

So, basically the workaround is to run these commands one by-one from this thread:

/ip dns
set allow-remote-requests=yes doh-max-concurrent-queries=100 \
    doh-max-server-connections=20 doh-timeout=6s servers=1.1.1.1,1.0.0.1 \
    use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes

axe3 · Thu Jan 11, 2024 1:42 pm

NEVER get certificates from 3rd parties, downloading stuff like this from anonymous user google drive is very dangerous.

I call upon moderation to redact the offending link to avoid any users reaching for the solution in the wrong direction.

rextended · Thu Jan 11, 2024 2:41 pm

The situation is simple:
Cloudflare updates the https certificate every 2 years (last time done on 30 Dec 2023).
This time DigiCert did not sign the certificate with the old key, but with the new one, so the root certificate is no longer valid.

So probably every 2 years or less (it can happen at any time, but in any case within 21 Jan 2025) the root certificate in the device must be updated.

The solution? Browsers update often, and the root keys are also updated with OS update...
So RouterOS should also implement an additional package with the list of trusted root certificates...

I warn you in advance:
Don't base everything on 1.1.1.1 or similar...
Sooner or later you will get fu–d in the a–...

For example:
They break down for some reason (either by sudden failure, unexpected maintenance, choice, or because they want you to pay fees...)
[Or they are simply fed up with all the useless pings they receive, since they give the DNS service, not the ping service...]
and 1.1.1.1 is unreachable everywhere...
Do you know how many "route"s are changed by mistake, devices that restart with the netwatch, DNS and DoH that no longer work... etc. etc. etc.

MTNick · Thu Jan 11, 2024 3:28 pm

NEVER get certificates from 3rd parties, downloading stuff like this from anonymous user google drive is very dangerous.
Do what the DNS documentation tells you to do. Go to the address you configured as your DoH address and download certificate from your browser, by clicking on the padlock icon
https://help.mikrotik.com/docs/display/ ... HTTPS(DoH)

@normis Apologies! I'll never post a link to g-drive or any files going forward. Sincerely apologize for this.

As for the root cert, it did change. It's why I offered them up. The simplest way to get the certs is the way normis outlined. It's how I download them.

MTNick · Thu Jan 11, 2024 3:40 pm

Pardon me, thisis complicated for me to understand
So, basically the workaround is to run these commands one by-one from this thread:
Code: Select all
/ip dns
set allow-remote-requests=yes doh-max-concurrent-queries=100 \
    doh-max-server-connections=20 doh-timeout=6s servers=1.1.1.1,1.0.0.1 \
    use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
    

@01K It's not a work around. It's also one single command. You have to upload the certificates (3 of them) to Mikrotik first. Then import them in Mikrotik certificates. After that's done, run the command. To verify that you are using DoH, go to their website https://1.1.1.1/help. On this page, it'll tell you if you're using DoH, TLS, or just standard Cloudflare.

/ip dns
set allow-remote-requests=yes doh-max-concurrent-queries=100 doh-max-server-connections=20 doh-timeout=6s servers=1.1.1.1,1.0.0.1 use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes

MTNick · Thu Jan 11, 2024 3:46 pm

The situation is simple:
Cloudflare updates the https certificate every 2 years (last time done on 30 Dec 2023).
This time DigiCert did not sign the certificate with the old key, but with the new one, so the root certificate is no longer valid.

So probably every 2 years or less (it can happen at any time, but in any case within 21 Jan 2025) the root certificate in the device must be updated.

The solution? Browsers update often, and the root keys are also updated with OS update...
So RouterOS should also implement an additional package with the list of trusted root certificates...

I warn you in advance:
Don't base everything on 1.1.1.1 or similar...
Sooner or later you will get fu–d in the a–...

For example:
They break down for some reason (either by sudden failure, unexpected maintenance, choice, or because they want you to pay fees...)
[Or they are simply fed up with all the useless pings they receive, since they give the DNS service, not the ping service...]
and 1.1.1.1 is unreachable everywhere...
Do you know how many "route"s are changed by mistake, devices that restart with the netwatch, DNS and DoH that no longer work... etc. etc. etc.

Agree 100% with this statement. I use an alt DNS, Cleanbrowsing. They offer malware, virus, etc protection & DoH as well. I see/know a lot of people use OpenDNS, which the response time isn't as good as Cloudflare, Google or Cleanbrowsing

CleanBrowsing:
https://doh.cleanbrowsing.org/doh/security-filter/

DNS Servers:
185.228.168.9
185.228.169.9

edyatl · Thu Jan 11, 2024 11:18 pm

NEVER get certificates from 3rd parties, downloading stuff like this from anonymous user google drive is very dangerous.
Do what the DNS documentation tells you to do. Go to the address you configured as your DoH address and download certificate from your browser, by clicking on the padlock icon
https://help.mikrotik.com/docs/display/ ... HTTPS(DoH)

Dear @normis,

I wanted to bring to your attention that the MikroTik Confluence wiki page about DNS and DoH configuration seems to have outdated information. The page suggests using DigiCertGlobalRootCA.crt.pem for DoH, but this certificate is no longer functional.

In light of recent changes, it would be beneficial for MikroTik support to update the wiki page and provide alternative sources for obtaining root CA certificates that are compatible with RouterOS and services like https://1.1.1.1/dns-query.

I've explored some certificates from Google Trust Services and Cloudflare.com, but they didn't seem to work with my settings. Including verified and up-to-date information on obtaining the correct root CA certificates will greatly assist users in configuring DoH securely.

Thank you for your attention to this matter, and I appreciate your ongoing support.

marsbeetle · Fri Jan 12, 2024 9:46 am

I've explored some certificates from Google Trust Services and Cloudflare.com, but they didn't seem to work with my settings. Including verified and up-to-date information on obtaining the correct root CA certificates will greatly assist users in configuring DoH securely.

See this post from Cloudflare community and prepare for the inevitable CA change to SSL.com - https://community.cloudflare.com/t/cert ... doh/600179

Fri Jan 12, 2024 10:31 am

Dear @normis,

I wanted to bring to your attention that the MikroTik Confluence wiki page about DNS and DoH configuration seems to have outdated information. The page suggests using DigiCertGlobalRootCA.crt.pem

That is not true. Documentation clearly says that you need to go to the address that you will use as DoH address and download the certificate from there. The name of the file that is seen in the example is irrelevant, it is an example only. The described steps are clear.

mbovenka · Fri Jan 12, 2024 10:37 am

I've explored some certificates from Google Trust Services and Cloudflare.com, but they didn't seem to work with my settings. Including verified and up-to-date information on obtaining the correct root CA certificates will greatly assist users in configuring DoH securely.

Installing this Google Trust Services Root CA bundle fixed it for me: https://pki.goog/roots.pem
It is here: https://pki.goog/faq/#faq-27

edyatl · Fri Jan 12, 2024 3:17 pm

Installing this Google Trust Services Root CA bundle fixed it for me: https://pki.goog/roots.pem
It is here: https://pki.goog/faq/#faq-27

Hello @mbovenka,

I wanted to express my gratitude for sharing the information about resolving the DoH certificate issue by using the Google Trust Services Root CA bundle (https://pki.goog/roots.pem). Your suggestion has been helpful.

However, after reviewing the contents of the provided PEM file, which includes 36 certificates and weighs around 68K, I am concerned about its size and the inclusion of DigiCertGlobalRootG2. This might introduce unnecessary overhead, and there's uncertainty about its compatibility with potential future changes from Cloudflare.

Thank you once again for your contribution, and I look forward to any further discussions on optimizing this process.

Fri Jan 12, 2024 3:24 pm

Please read this post here:

https://community.cloudflare.com/t/upco ... ver/594379

rextended · Fri Jan 12, 2024 3:30 pm

So RouterOS should also implement an additional package with the list of trusted root certificates...

mbovenka · Fri Jan 12, 2024 3:33 pm

Please read this post here:

https://community.cloudflare.com/t/upco ... ver/594379

I installed that certificate chain as well. Didn't fix it, which is expected, as they use GTS at the moment, and not SSL.COM. Perhaps they plan on changing again, who knows.

edyatl · Fri Jan 12, 2024 3:44 pm

See this post from Cloudflare community and prepare for the inevitable CA change to SSL.com - https://community.cloudflare.com/t/cert ... doh/600179

Hello @marsbeetle,

I appreciate your alert regarding the upcoming change in the certificate issuer for the 1.1.1.1 Public Resolver, as mentioned by a Cloudflare team member. However, the lack of specific dates, guidelines, or concrete steps for users to prepare for this transition is a bit concerning.

Understanding that Cloudflare is deprecating DigiCert as a certificate authority and will switch to SSL.com, I would appreciate any additional information or guidance on how users can proactively prepare for this change. Knowing the timeline and recommended actions would help in ensuring a smooth transition without service disruptions.

Thank you for your assistance, and I look forward to any clarifications or updates regarding this upcoming certificate renewal.

edyatl · Fri Jan 12, 2024 4:04 pm

Please read this post here:

https://community.cloudflare.com/t/upco ... ver/594379

Dear @normis,

I've gone through the link you shared regarding the upcoming change in the certificate issuer for Cloudflare's 1.1.1.1 Public Resolver. The Cloudflare team mentions a transition from DigiCert to SSL.com, but your post lacks specific guidance for MikroTik users on how to prepare for this change.

As someone relying on MikroTik routers and DNS over HTTPS (DoH) configurations, I am eager to ensure a smooth transition without any service interruptions. Could you please provide more context or guidance on what steps MikroTik users should take to prepare for the upcoming certificate renewal? Any insights or suggested actions would be highly appreciated.

Thank you for your attention to this matter, and I look forward to any assistance you can provide.

Amm0 · Fri Jan 12, 2024 5:29 pm

You can add the SSL.com root/intermediate certs from SSL.com, without removing the old DigiCert ones (e.g. use both). The DoH certificate check only checks the entire chain is trusted, NOT the root used...so as long as the new SSL.com certs were added to /certificates, transition should be seamless.

Amm0 · Fri Jan 12, 2024 5:39 pm

I know, that's why I said, there is nothing automatic you could do to prevent this from happening.

Maybe y'all should make a NPK extra-package with just the common Linux/whatever root/intermediate certs inside (like a branding package, but certs). So it can be installed as trusted package, rather than cut-and-paste certs from somewhere.

Fri Jan 12, 2024 11:06 pm

Maybe y'all should make a NPK extra-package with just the common Linux/whatever root/intermediate certs inside

The top 7 root CAs are responsible for over 99% of issued certificates. (Source.) Oddly, SSL.com isn’t among them.

Niggly details aside, installing the entire Google or Mozilla root stores is far in excess to requirements.

01K · Mon Jan 15, 2024 10:33 am

Hi guys,
thanks to all!
I imported 3 PEM certificates from https://1.1.1.1/help address and everything is working now.
There was no need to run /ip DNS command

1111.jpg

edyatl · Mon Jan 15, 2024 11:46 am

Hi guys,
thanks to all!
I imported 3 PEM certificates from https://1.1.1.1/help address and everything is working now.
There was no need to run /ip DNS command

Hello @01K,

Thank you for updating the community and sharing your solution! It's great to hear that you were able to resolve the issue by importing the PEM certificates from the https://1.1.1.1/help address.

If possible, could you provide the direct links to the PEM certificates you imported? This information can be helpful for users who might be looking for a quick and direct solution. Your assistance is much appreciated!

01K · Mon Jan 15, 2024 11:54 am

Hi guys,
thanks to all!
I imported 3 PEM certificates from https://1.1.1.1/help address and everything is working now.
There was no need to run /ip DNS command
Hello @01K,

Thank you for updating the community and sharing your solution! It's great to hear that you were able to resolve the issue by importing the PEM certificates from the https://1.1.1.1/help address.

If possible, could you provide the direct links to the PEM certificates you imported? This information can be helpful for users who might be looking for a quick and direct solution. Your assistance is much appreciated!

I've imported from browser, accessing the https://1.1.1.1/help URL, click on lock, press View Certificates and download them one be one:

2222.jpg

rextended · Mon Jan 15, 2024 12:02 pm

All you need is the certificate that you already put in the link in your previous post.

Who said you need to install 3 of them to make it work?

I can install up to 40 of them, but as long as there is the right one among them.

rextended · Mon Jan 15, 2024 12:15 pm

the solution is already inside the certificate
(1.3.6.1.5.5.7.48.1) URL=http://ocsp.digicert.com
(1.3.6.1.5.5.7.48.2) URL=http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt

http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt

It could be a security flaw to trust the certificate indicated by the site you are connecting to...
Strange that they allow this in certificates...

Be wary of the solutions proposed by those who obscure 1.1.1.1 and other public available data in images.

Mon Jan 15, 2024 12:20 pm

Don't trust links in forum. Go to 1.1.1.1 yourself and download it yourself.

edyatl · Mon Jan 15, 2024 12:21 pm

I've imported from browser, accessing the https://1.1.1.1/help URL, click on lock, press View Certificates and download them one be one:

I'd like to point out, for the benefit of the community, that the DigiCert Global Root G2 certificate is the root certificate, and both 'DigiCert Global G2 TLS RSA SHA256 2020 CA1' and 'cloudflare-dns.com' are intermediate certificates. While this method is a good temporary solution, it's essential to be aware that Cloudflare has announced an upcoming change to SSL.com as the certificate authority.

This means that in the near future, the current certificates may be replaced, and users will need to update them accordingly. Keeping an eye on official updates from Cloudflare and being prepared for the certificate renewal will ensure the continued smooth operation of DNS services.

01K · Mon Jan 15, 2024 12:22 pm

All you need is the certificate that you already put in the link in your previous post.

Who said you need to install 3 of them to make it work?

I can install up to 40 of them, but as long as there is the right one among them.

Above, a member wrote about three certificates:

@01K It's not a work around. It's also one single command. You have to upload the certificates (3 of them) to Mikrotik first. Then import them in Mikrotik certificates. After that's done, run the command. To verify that you are using DoH, go to their website https://1.1.1.1/help. On this page, it'll tell you if you're using DoH, TLS, or just standard Cloudflare.

rextended · Mon Jan 15, 2024 12:23 pm

Don't trust links in forum. Go to 1.1.1.1 yourself and download it yourself.

Correct, but if someone have problems or doubt finding it,
in the certificate properties displayed in the browser there is the precise link without going crazy looking for it...

rextended · Mon Jan 15, 2024 12:35 pm

Above, a member wrote about three certificates:

Above, one member obscure public availabledata on image, so who trust?
Someone who has posted little on the forum, just registered, or someone who has written more and is member from long time?

Installing the three certificates in the PEM chain that you see in the browser actually installs the correct one, the intermediate one, and the public certificate itself of 1.1.1.1
That's why there are three... But the root certificate is only one...
The middle one might be useful, but the final third, no...

rextended · Mon Jan 15, 2024 12:42 pm

edyatl · Mon Jan 15, 2024 1:00 pm

Above, one member obscure public availabledata on image, so who trust?
Someone who has posted little on the forum, just registered, or someone who has written more and is member from long time?

Installing the three certificates in the PEM chain that you see in the browser actually installs the correct one, the intermediate one, and the public certificate itself of 1.1.1.1
That's why there are three... But the root certificate is only one...
The middle one might be useful, but the final third, no...

Indeed, when importing certificates from the browser, there are three displayed: the root certificate, the intermediate certificate, and the public certificate of 1.1.1.1. The key information here is that, for MikroTik routers, you primarily need the root certificate – 'DigiCert Global Root G2.' This is the top-level certificate in the chain and is sufficient for establishing trust.

While importing all three certificates might work for some setups, it's crucial to recognize that having only the root certificate is often adequate. This can help avoid unnecessary complications and ensure a cleaner setup.

rextended · Mon Jan 15, 2024 1:18 pm

But again... if you open the certificate property, is also present that... (do not trust forum, moderators can modify my post without any notice)

the solution is already inside the certificate
(1.3.6.1.5.5.7.48.1) URL=http://ocsp.digicert.com
(1.3.6.1.5.5.7.48.2) URL=http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt

http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt

It could be a security flaw to trust the certificate indicated by the site you are connecting to...
Strange that they allow this in certificates...

Amm0 · Mon Jan 15, 2024 2:34 pm

Another option: You can also use "openssl" client at Mac/Linux/WSL terminal to both the certificate chain ("openssl s_client -showcerts -connect 1.1.1.1:443").

A .pem file can be made by cut-and-paste the various "BEGIN CERTIFICATE" to "END CERTIFICATE" (include those BEGIN ... END CERTIFICATE markers) to a new file, you can copy the file and import them into RouterOS /certificates. Or, this Bourne shell command should extract just the certificates from the web site in SSLHOST into a file named certificate_chain_1.1.1.1.pem & output the check to Terminal:

SSLHOST=1.1.1.1; echo -n | openssl s_client -showcerts -connect $SSLHOST:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate_chain_$SSLHOST.pem; openssl x509 -in certificate_chain_$SSLHOST.pem -text -noout

While getting certs from a forum isn't a good idea, download them from the website itself is only slightly better. Although your current DNS servers have to be hacked for it to be a problem in the later case.

axe3 · Tue Jan 16, 2024 5:25 pm

Another option: You can also use "openssl" client at Mac/Linux/WSL terminal to both the certificate chain ("openssl s_client -showcerts -connect 1.1.1.1:443").

I previously looked at using openssl like this, but it appears to produce somewhat different results compared to using Chrome or Firefox.

For 1.1.1.1:443 it only gets the public certificate for 1.1.1.1 and the intermediate one, but does not include the root certificate.

For one.one.one.one:443 (which currently uses Google Trust Services instead of DigiCert like 1.1.1.1 does) it gets the public certificate for one.one.one.one and the intermediate one, as well as the root certificate whose value is different from that obtained via browsers, which I found confusing.

Can someone with more understanding on the subject explain the discrepancy of the browsers vs. openssl methods?

edyatl · Wed Jan 17, 2024 12:16 am

Another option: You can also use "openssl" client at Mac/Linux/WSL terminal to both the certificate chain ("openssl s_client -showcerts -connect 1.1.1.1:443").
I previously looked at using openssl like this, but it appears to produce somewhat different results compared to using Chrome or Firefox.

For 1.1.1.1:443 it only gets the public certificate for 1.1.1.1 and the intermediate one, but does not include the root certificate.

I confirm @axe3's info.
While the provided shell command is useful for extracting certificates from the web server, it's important to note that the resulting certificate_chain_1.1.1.1.pem file might lack the root certificate.

The command produces a .pem file containing the public certificate for cloudflare-dns.com and the intermediate certificate DigiCert Global G2 TLS RSA SHA256 2020 CA1. However, it may not include the root certificate, which is crucial for establishing a complete certificate chain.

For a comprehensive solution, it's recommended to obtain the root certificate separately. You can do this by visiting the website directly, as suggested by MikroTik support.

MTNick · Wed Jan 17, 2024 3:07 am

Above, a member wrote about three certificates:
Above, one member obscure public availabledata on image, so who trust?
Someone who has posted little on the forum, just registered, or someone who has written more and is member from long time?

Installing the three certificates in the PEM chain that you see in the browser actually installs the correct one, the intermediate one, and the public certificate itself of 1.1.1.1
That's why there are three... But the root certificate is only one...
The middle one might be useful, but the final third, no...

Greetings rextended & everyone,

I understand the concern over someone new posting & "trying" to help others out. Please don't assume that someone is playing tricks just because they are new to this forum. I'm new to the forum, but not new to Mikrotik products. The company I work for deploys thousands of Mikrotik products per year, mainly the CRS125-24G-1SRM, RB1100AHX4, CCR1009-7G-1C-15+ and some CCR1036-8G-2S+1, CCR1072-1G-8S+ devices. Can't forget about the RB750Gr3 hEX either. I just recently purchased Mikrotik products for my home. It's the reason I joined. I follow you, anav, normis, holvoetn and a few others on here. And yes, I do take the advice of the experienced long time members such as yourself & others. It's the natural thing to do. We are all here to learn & bounce ideas off each other. Not trying to start anything, just introducing myself.

Also, to clear this up, the 1.1.1.1/help (not sure this will post without hyperlink) is Cloudflares DNS checker. It verifies that you are connected to their services & lets you know which services you're connected to.

Amm0 · Wed Jan 17, 2024 3:48 am

The command produces a .pem file containing the public certificate for cloudflare-dns.com and the intermediate certificate DigiCert Global G2 TLS RSA SHA256 2020 CA1. However, it may not include the root certificate, which is crucial for establishing a complete certificate chain.

"openssl s_client ..." worked on an older Arch, but just test on Mac and Ubuntu... y'all correct, it's not including the needed root. It's still not the best plan here, since the purpose to verify DoH DNS server isn't being spoof... but if you were already spoofed, openssl client get you spoofed certs (albiet unlikely). I just had a command from a web server script, didn't cross-check the results for 1.1.1.1. Clearly you shouldn't trust anyone with the Mario Kart profile pic.

For a comprehensive solution, it's recommended to obtain the root certificate separately. You can do this by visiting the website directly, as suggested by MikroTik support.

Yup. And, if you wanted to be extreme through you can diff MT's docs with the copy on the root cert's web site (e.g. DigiCert, SSL.com, etc.).