Problem with DoH on Mikrotik Router since yesterday ?!?


Since last night my log is full of:
DoH Server connection error: SSL: handshake failed: unable to get local issuer certificate (6).
There is no DNS resolution anymore ... I had to disable "Verify DoH certificate" to get it working again. 

Is any service down?

br, Richard

10replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • The certificate for dns.nextdns.io switched to a different CA last night. If you installed the full CA chain as described on the setup page for Mikrotik routers, it should not be an issue.

    Please try running this:

    /tool fetch url=https://curl.se/ca/cacert.pem
    /certificate import file-name=cacert.pem

  • OK thx, just updated the CA ... now works again :-)

  • Where is this alleged "setup page for Mikrotik routers" ?! All I can find are posts like this one.

  • Hi, I think I have the same problem on a pfSense Router since 3 days. But the setup page for pfSense router did not mention any certificate.

    How can I check it?

    Thank you

  • Hi,

    I also experience intermittent outages with my Mikrotik router, configured to use DoH, without "Verify DoH Certificate" checkmark. 

    In logs I get:

    DoH server connection error: Idle timeout - waiting data

    DoH server connection error: remote disconnected while in HTTP exchange

    DoH server connection error: SSL: internal error (6)

    Then it starts working again after 5-10 minutes, or I need to reboot the router. Not reliable, as I don`t experience this issues with other providers using DoH. 

    Is anyone else experiencing this also?

  • I'm experiencing the problem permanently. My router dns resolver only works by deactivating the "verify doh certificate". I followed the exact instructions from nextdns for mikrotik.

  • Não fazem sentido as orientações, uso Mikrotik, da forma que é ensinado não dá certo, DNS estático, somente DNS manual, sou do Rio Grande do Sul, pago o serviço, porém se uso como ensinado, servidor EUA e SP, não faz o fallback, pra puxar o DNS Edgeuno SAS Coritiba e Porto Alegre, só setando Manualmente, outra, pelo wireshark da pra ver um erro, unknow certificarem (48), não sei se é bloqueio do provedor, o de desconexão era, porém este q mencionei, eu realmente não sei, tudo atualizado os certificados e equipamento, teriam q rever as configurações, não fecha nenhum pouco, ou é DNS estático ou manual, Master ou Slave.

  • Yeah i also have constant SSL errors on mikrotik routers and service dropouts, even sent support emails about it got zero response on the issue after the initial contact (Business user)..

Like Follow
  • 1 mth agoLast active
  • 10Replies
  • 1055Views
  • 9 Following