Community discussions

MikroTik App
  4. RouterOS
  5. General

cloudflare have changed the root cert?  [SOLVED]

Post Reply
 
homerouter
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sun Dec 26, 2021 12:52 pm
Location: DK

cloudflare have changed the root cert?

Wed Apr 17, 2024 9:28 am

cloudflare-dns SSL cert error. -They have changed the root cert?
After many month with no DNS problem, this morning i have a lot DoH SSL errror, it started about 02:17 UTC+1
DoH server connection error SSL: ssl: no trusted CA certificate found (6)
It i check the cert at https://security.cloudflare-dns.com/dns-query, it is changed from DigiCertGlobalRootG2

After loading the new cert it all run again.

Why is cloudflare-dns just changing the cert?
Last edited by homerouter on Wed Apr 17, 2024 6:49 pm, edited 1 time in total.
Top
 
User avatar
patrikg
Member Candidate
Member Candidate
Posts: 263
Joined: Thu Feb 07, 2013 6:38 pm
Location: Stockholm, Sweden

Re: cloudflare have changed the root cert?

Wed Apr 17, 2024 9:36 am

Thanks for reporting this.

Have you checked the validity period of the ca cert ? Maybe 5 years have passed.
Maybe the ca cert was revoked.
It's great that you found what the problem was, but if you also can ask cloudflare them self.
Top
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26394
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: cloudflare have changed the root cert?  [SOLVED]

Wed Apr 17, 2024 9:50 am

Discussed many times on the forum:
https://community.cloudflare.com/t/upco ... ver/594379

Yes, they did change it, and did warn users
Top
 
glazaroff
just joined
Posts: 2
Joined: Wed Apr 17, 2024 10:29 pm

Re: cloudflare have changed the root cert?

Wed Apr 17, 2024 10:32 pm

Discussed many times on the forum:
https://community.cloudflare.com/t/upco ... ver/594379

Yes, they did change it, and did warn users
which cert we have to use for DoH with Cloudflare - https://security.cloudflare-dns.com/dns-query , 1.1.1.2 and 1.0.0.2 cuz DigiCert G2 doesn't work, could you please put the link here? Are you plan to update Mikrotik doc as well?, thanks
Top
 
homerouter
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sun Dec 26, 2021 12:52 pm
Location: DK

Re: cloudflare have changed the root cert?

Thu Apr 18, 2024 10:46 am

What i dont understand is today problem is back.
They again changed the root cert, now back to the DigiCertGlobalRootG2.
I see they also use the cert ISRG Root X2 from https://letsencrypt.org/certificates/
for now they change between so many cert:
DigiCertGlobalRootCA
DigiCertGlobalRootG2
DigiCertGlobalRootG3
ISRG Root X2 (letsencrypt)

For now i disabled the "Verify DoH cert" on the main router. On my CHR i have installed the 4 listed pem cert and will see in the log whats going on over the next days.
Top
 
glazaroff
just joined
Posts: 2
Joined: Wed Apr 17, 2024 10:29 pm

Re: cloudflare have changed the root cert?

Sat Apr 20, 2024 6:27 pm

What i dont understand is today problem is back.
They again changed the root cert, now back to the DigiCertGlobalRootG2.
I see they also use the cert ISRG Root X2 from https://letsencrypt.org/certificates/
for now they change between so many cert:
DigiCertGlobalRootCA
DigiCertGlobalRootG2
DigiCertGlobalRootG3
ISRG Root X2 (letsencrypt)

For now i disabled the "Verify DoH cert" on the main router. On my CHR i have installed the 4 listed pem cert and will see in the log whats going on over the next days.
I've tried with DigiCertGlobalRootCA and DigiCertGlobalRootG2 but without success. Could you please someone provide the correct certs which have to installed? Thanks 😊
Top
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3541
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: cloudflare have changed the root cert?

Sat Apr 20, 2024 7:11 pm

Yes, they did change it, and did warn users
If you count a forum posting, sure.

Cloudflare is $28B company, not Mikrotik. So sharing of certs in a forum posting without some hash (SHA256/etc) and only indica of authority being "Cloudflare Team" next to the user & going on to recommend not checking certs:
If you are pinning the certificate chain attached to the Resolver, we highly recommend that you remove the certificate pin. This will ensure that there will be no issues or downtime when the certificate renews.
This would not give me a lot of faith in them if my goal in using DoH was privacy/security. I don't use DoH, but I'd probably trust the Swiss more and use Quad9 after reading that post from Cloudflare.
Top
 
homerouter
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sun Dec 26, 2021 12:52 pm
Location: DK

Re: cloudflare have changed the root cert?

Sun Apr 21, 2024 6:57 pm

I've tried with DigiCertGlobalRootCA and DigiCertGlobalRootG2 but without success
Then you do something wrong. Goto: https://security.cloudflare-dns.com/dns-query
In firefox press [CTRL]+i -> Security -> View cert.
All of them can be found here too: https://www.digicert.com/kb/digicert-ro ... icates.htm Get the .pem one...

For me all work ok again with: "DigiCert Global Root G2" and the 4 other just in case they change it again.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 17 guests
  4. RouterOS
  5. General