dns.nextdns.io has an expired SSL cert
Endpoint provider failed: SourceHTTPSSVCProvider (dns.nextdns.io, https://dns.nextdns.io#45.: exchange: roundtrip: tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2023-12-13T01:43:05-05:00 is after 2023-12-12T23:59:59Z
25 replies
-
One of our DNS edge servers was silently failing to retrieve its TLS certificate from our control plane, which led to this issue. We have rectified the problem and are now focusing on eliminating this blind spot within our monitoring. We apologize for any inconvenience caused.
-
That’s indeed not the case. Can you please show the output of curl -v https://dns.nextdns.io
-
I have the same issue.
The cert seems to be valid and up to date when using curl -v https://dns.nextdns.io
But not when NextDNS is setup through TailScale.
curl would not work on the impacted host as it won't know how to resolve nextdns.io -
It indeed is the case.
jeffl@Dell7050:bin$ curl -v https://dns.nextdns.io
* Trying 146.112.61.106:443...
* TCP_NODELAY set
* Connected to dns.nextdns.io (146.112.61.106) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
jeffl@Dell7050:bin$ -
I have the same issue simultaneously on my 2 Mikrotik routers (Router OS 7.12.1)
DoH server connection error: SSL: ssl: cert not valid (after: Tue Dec 12 23:59:59 2023 < now: Wed Dec 13 18:00:51 2023) - "CN=dns.nextdns.io" (6)
I refreshed my root certificate, just in case, but no change. I had to move to Cloudflare DOH temporarily.
-
I also rebooted the router, issue is still there.
-
It indeed is the case.
$ curl -v https://dns.nextdns.io
* Trying 146.112.61.106:443...
* TCP_NODELAY set
* Connected to dns.nextdns.io (146.112.61.106) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: <redacted>curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.$
-
It is indeed the case.
I am blanking out URLs as that seems to get my message sent to a pending review queue.
$ curl -v <DNS over HTTPS NextDNS URL>
* Trying 146.112.61.106:443...
* TCP_NODELAY set
* Connected to dns.nextdns.io (146.112.61.106) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: <redacted>curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above. -
Hi,
I use DoH with mikrotik, with static entries (not using any other DNS)
It seems only one IP behind dns.nextdns.io has an expired certificate : 45.90.28.0
cfssl certinfo -domain 45.90.28.0:443 { "subject": { "common_name": "dns.nextdns.io", "names": [ "dns.nextdns.io" ] }, "issuer": { "common_name": "ZeroSSL ECC Domain Secure Site CA", "country": "AT", "organization": "ZeroSSL", "names": [ "AT", "ZeroSSL", "ZeroSSL ECC Domain Secure Site CA" ] }, "serial_number": "120965480991335780270940007412645456290", "sans": [ "dns.nextdns.io", "*.dns.nextdns.io" ], "not_before": "2023-09-13T00:00:00Z", "not_after": "2023-12-12T23:59:59Z", "sigalg": "ECDSAWithSHA384", "authority_key_id": "0F:6B:E6:4B:CE:39:47:AE:F6:7E:90:1E:79:F0:30:91:92:C8:5F:A3", "subject_key_id": "A3:2C:C3:8E:EF:12:3D:FE:B9:0F:10:07:8F:1E:CB:86:AE:37:EC:9E", "pem": "-----BEGIN CERTIFICATE-----\nMIIEIDCCA6egAwIBAgIQWwEarV14wZC11SZFju9pojAKBggqhkjOPQQDAzBLMQsw\nCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF\nQ0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIzMDkxMzAwMDAwMFoXDTIzMTIx\nMjIzNTk1OVowGTEXMBUGA1UEAxMOZG5zLm5leHRkbnMuaW8wWTATBgcqhkjOPQIB\nBggqhkjOPQMBBwNCAARjwE3Yo9xjPp1g5agcgsZJ4Q68Y6qlsHEyVkU28Cq/173m\nkg3UyyAko318UJsX8a6IcZSIrU6YjEuZoHE/idbjo4ICnTCCApkwHwYDVR0jBBgw\nFoAUD2vmS845R672fpAeefAwkZLIX6MwHQYDVR0OBBYEFKMsw47vEj3+uQ8QB48e\ny4auN+yeMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG\nCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUw\nIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCB\niAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQu\nc2VjdGlnby5jb20vWmVyb1NTTEVDQ0RvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYI\nKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGlnby5jb20wEQYIKwYB\nBQUHARgEBTADAgEFMIIBAgYKKwYBBAHWeQIEAgSB8wSB8ADuAHUArfe++nz/EMiL\nnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGKjLO5jwAABAMARjBEAiBahk+OPhxU\nLlE2ceEeKIYTkQhw2Y0Hxh6Wf7SPr9opdAIgKZtqSCepbzKXy50QMJKvo8buXJyv\no9cUenskHwzZ0pAAdQB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAA\nAYqMs7n+AAAEAwBGMEQCIGorRuD4OZiEarU5N5jev9pJTdfUsgHubgx3mwn2nYl9\nAiBKg4M85Cm2ZZzzUwxvR3P2NEfeLrlrTL93yGcJzyxtqzArBgNVHREEJDAigg5k\nbnMubmV4dGRucy5pb4IQKi5kbnMubmV4dGRucy5pbzAKBggqhkjOPQQDAwNnADBk\nAjAc949DXRnvUsvHq4i28rA08IjubvvY67/HqSxkWCMNrvd9zwaD7Fb0bwaVdpF3\nP2kCMD50i2ZURsQhtetosy5kMKXi/99JfRnlG6OuijUWm03d0Doi7PspoBgiZTGv\nvLdPFg==\n-----END CERTIFICATE-----\n" }
45.90.30.0 is fine :
cfssl certinfo -domain 45.90.30.0:443 { "subject": { "common_name": "dns.nextdns.io", "names": [ "dns.nextdns.io" ] }, "issuer": { "common_name": "ZeroSSL ECC Domain Secure Site CA", "country": "AT", "organization": "ZeroSSL", "names": [ "AT", "ZeroSSL", "ZeroSSL ECC Domain Secure Site CA" ] }, "serial_number": "104429572728810159461796863158411042299", "sans": [ "dns.nextdns.io", "*.dns.nextdns.io" ], "not_before": "2023-10-18T00:00:00Z", "not_after": "2024-01-16T23:59:59Z", "sigalg": "ECDSAWithSHA384", "authority_key_id": "0F:6B:E6:4B:CE:39:47:AE:F6:7E:90:1E:79:F0:30:91:92:C8:5F:A3", "subject_key_id": "90:A2:4E:45:9F:BC:63:82:3D:26:89:09:2C:36:91:B1:CB:84:D6:E1", "pem": "-----BEGIN CERTIFICATE-----\nMIIEITCCA6igAwIBAgIQTpBndGUkJDtGPdD38iOd+zAKBggqhkjOPQQDAzBLMQsw\nCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF\nQ0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIzMTAxODAwMDAwMFoXDTI0MDEx\nNjIzNTk1OVowGTEXMBUGA1UEAxMOZG5zLm5leHRkbnMuaW8wWTATBgcqhkjOPQIB\nBggqhkjOPQMBBwNCAATHvYVtSBLlq4RcC+ZAbGsE+22Ni6k/JQ4O0SV0O97L/K+5\nXfm+mQhvt+zxIx+C8swVN39dhz5MvHMdbvI+rYhyo4ICnjCCApowHwYDVR0jBBgw\nFoAUD2vmS845R672fpAeefAwkZLIX6MwHQYDVR0OBBYEFJCiTkWfvGOCPSaJCSw2\nkbHLhNbhMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG\nCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUw\nIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCB\niAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQu\nc2VjdGlnby5jb20vWmVyb1NTTEVDQ0RvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYI\nKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGlnby5jb20wEQYIKwYB\nBQUHARgEBTADAgEFMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYAdv+IPwq2+5VR\nwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQAAAGLQPJPgwAABAMARzBFAiEAjWM/hg0a\n1TFot4EhHAlB8DyMfBvhU6blNp3bFrSCQ0oCIHwHQFVQu07G6O128dr4DP1ERBG0\nY+VjzZSFJqgLx18KAHUA2ra/az+1tiKfm8K7XGvocJFxbLtRhIU0vaQ9MEjX+6sA\nAAGLQPJP1QAABAMARjBEAiA4DiCvvyl5qmpTfbqQsrqKEFdudsvVObjon+sDOMGW\n9AIgARtnXTFVme8+eO6DpglujE0raJ22lGx2jC2Alcjs4fEwKwYDVR0RBCQwIoIO\nZG5zLm5leHRkbnMuaW+CECouZG5zLm5leHRkbnMuaW8wCgYIKoZIzj0EAwMDZwAw\nZAIwL3irp8KvjtZ6X/R32zguXl/+1fpmVofZ9+FDfszyCXJJKrKK8V5wcCVEDeBB\nGkmbAjBo6HVV7mbLo5CpX0h0OGaCxAGiQFguGfBbjuvtsok/PWA49G0IUjz9Ohqh\nVBjIv0g=\n-----END CERTIFICATE-----\n" }
I had to disable the static DNS entry in routerOS for 45.90.28.0 and everything went back to normal.
Waiting for you guys tu update the expired certificate on 45.90.28.0 to enable it again as a failover ;-)
Content aside
- Status Fixed
-
1
Likes
- 11 mths agoLast active
- 25Replies
- 609Views
-
5
Following