DNS-over-HTTPS request failed to obtain valid SSL certificate from server
The issue started this morning and it seems to be a problem with the SSL certificate in some instances of dns.nextdns.io.
Windows is logging DNS Client Events error 8048:
DNS-over-HTTPS request failed to obtain valid SSL certificate from server 45.90.28.0, with template https://dns.nextdns.io/XXXXX/YYYYYY, due to: unfamiliar Certificate Authority;. WinHTTP flags: 0x8
YogaDNS reports a similar error:
OpenURL error 12045: The certificate authority is invalid or incorrect, URL=https://yoga.dns.nextdns.io/XXXXX/YYYYYY?body_hash=zzzzzzz
As a workaround I changed the fallback DNS in Windows to use plain DNS for 45.90.28.155 so I'm able to work but this is far from ideal.
Please advice.
10 replies
-
Tried making the call from C#:
using var http = new HttpClient(); var resp = await http.GetStringAsync("https://dns.nextdns.io/info");This produces a HttpRequestException:
The SSL connection could not be established, see inner exception.
AuthenticationException:
The remote certificate is invalid because of errors in the certificate chain: PartialChain
-
Support on vacation? 🤨
-
please provide a https://nextdns.io/diag
-
something is fishy. Can you please try this command and show the output: curl -v https://dns.nextdns.io
-
* Host dns.nextdns.io:443 was resolved.
* IPv6: (none)
* IPv4: 200.25.22.68, 37.252.251.157
* Trying 200.25.22.68:443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
* closing connection #0
curl: (60) schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
More details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
-
-
Problem: Windows was missing the "USERTrust ECC Certification Authority" (Sectigo ECC) root cert.
Solution: Import the cert from another PC.
The Friday-working-to-Monday-not-working thing I'll chalk it up to some update in NextDNS servers that would have been fine if not for the missing cert.
EDIT: No idea why the cert was missing. Will investigate next time I have a free moment.
-
Cause: Windows was set not to update root certificates.
Check if:
Key: HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot Value: DisableRootAutoUpdate = 1gpedit:
Computer Configuration/ Administrative Templates/ System/ Internet Communication Management/ Internet Communication settings/ Turn off Automatic Root Certificate UpdateThat should help but I cannot confirm since I already imported the cert.
Content aside
-
1
Votes
- 2 hrs agoLast active
- 10Replies
- 62Views
-
2
Following