1

dns.nextdns.io has an expired SSL cert

Endpoint provider failed: SourceHTTPSSVCProvider (dns.nextdns.io, https://dns.nextdns.io#45.: exchange: roundtrip: tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2023-12-13T01:43:05-05:00 is after 2023-12-12T23:59:59Z

25 replies

null
    • NextDNs
    • 11 mths ago
    • Reported - view

    One of our DNS edge servers was silently failing to retrieve its TLS certificate from our control plane, which led to this issue. We have rectified the problem and are now focusing on eliminating this blind spot within our monitoring. We apologize for any inconvenience caused.

    • NextDNs
    • 11 mths ago
    • Reported - view

    That’s indeed not the case. Can you please show the output of curl -v https://dns.nextdns.io

      • Tom.14
      • 11 mths ago
      • Reported - view

      NextDNS 

      @NextDNS

      root@t0mt0m:~# openssl s_client -connect dns.nextdns.io:443 2>/dev/null | openssl x509 -noout -dates
      notBefore=Sep 13 00:00:00 2023 GMT
      notAfter=Dec 12 23:59:59 2023 GMT

      It is expired -- `notAfter=Dec 12 23:59:59 2023 GMT`

      • Tom.14
      • 11 mths ago
      • Reported - view

      @NextDNS -- for the CNAME record associated with `dns.nextdns.io`

      root@t0mt0m:~# curl https://steering.nextdns.io -vI
      *   Trying 2a0b:4342:1a32:f:5054:ff:fe48:d17f:443...
      * TCP_NODELAY set
      * Connected to steering.nextdns.io (2a0b:4342:1a32:f:5054:ff:fe48:d17f) port 443 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      * successfully set certificate verify locations:
      *   CAfile: /etc/ssl/certs/ca-certificates.crt
        CApath: /etc/ssl/certs
      * TLSv1.3 (OUT), TLS handshake, Client hello (1):
      * TLSv1.3 (IN), TLS handshake, Server hello (2):
      * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
      * TLSv1.3 (IN), TLS handshake, Certificate (11):
      * TLSv1.3 (OUT), TLS alert, unknown CA (560):
      * SSL certificate problem: unable to get local issuer certificate
      * Closing connection 0
      curl: (60) SSL certificate problem: unable to get local issuer certificate
      More details here: https://curl.haxx.se/docs/sslcerts.html
      
      curl failed to verify the legitimacy of the server and therefore could not
      establish a secure connection to it. To learn more about this situation and
      how to fix it, please visit the web page mentioned above.

      Seems like it is using an unknown CA.

      • NextDNs
      • 11 mths ago
      • Reported - view

      please check the full certificate, you should see that it is not issued by us. As said in another reply on this issue, since this morning, OpenDNS decided that dns.nextdns.io was an adult website (go figure…), so solutions based on their list will start blocking this hostname. If your system/network is using such system, that would explain this situation. We contacted them to get unlisted, but there is nothing more we could do on our side.

      • Tom.14
      • 11 mths ago
      • Reported - view

      NextDNS I do not use OpenDNS as a resolver anywhere at any point in my network infra. I do have an MITM solution that is performing certificate checks but that alone should not be an issue. It too is reflecting a bad/expired SSL certificate. I set my DoH resolver for all my Chrome browsers with the NextDNS resolver URL at port 443 via the Google Workspaces Admin console. The network appliances themselves leverage NextDNS resolvers and contain no other entries in resolv conf file. The gateway/edge itself is leveraging a DNS proxy installed onto itself and the queries it produces are loopback to the listeners on it, which that proxy is configured to only use NextDNS. The DHCP and DHCPv6 assign DNS resolvers to all of my clients/workstations, and that is also configured to only use NextDNS via the proxy hosted at the edge.

      I block all other commonly known public resolvers via ACL on my firewall, at the edge.

      I still feel there is still a certificate issue.

      • NextDNs
      • 11 mths ago
      • Reported - view

       please check the pinned answer in this post. Let us know if you are still experiencing an issue.

      • Tom.14
      • 11 mths ago
      • Reported - view

       Yup -- seems to be good now. Thank you.

    • DeeEnEs
    • 11 mths ago
    • Reported - view

    I have the same issue.
    The cert seems to be valid and up to date when using curl -v https://dns.nextdns.io 
    But not when NextDNS is setup through TailScale.
    curl would not work on the impacted host as it won't know how to resolve nextdns.io

      • NextDNs
      • 11 mths ago
      • Reported - view

       is your network using OpenDNS?

    • Jeff_Loughridge
    • 11 mths ago
    • Reported - view

    It indeed is the case.

     

    jeffl@Dell7050:bin$ curl -v https://dns.nextdns.io
    *   Trying 146.112.61.106:443...
    * TCP_NODELAY set
    * Connected to dns.nextdns.io (146.112.61.106) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: /etc/ssl/certs
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (OUT), TLS alert, unknown CA (560):
    * SSL certificate problem: unable to get local issuer certificate
    * Closing connection 0
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: https://curl.haxx.se/docs/sslcerts.html

    curl failed to verify the legitimacy of the server and therefore could not
    establish a secure connection to it. To learn more about this situation and
    how to fix it, please visit the web page mentioned above.
    jeffl@Dell7050:bin$

      • NextDNs
      • 11 mths ago
      • Reported - view

      dns.nextdns.io is blocked by opendns on your network and redirected to their blockpage server, hence the certificate issue.

      • Jeff_Loughridge
      • 11 mths ago
      • Reported - view

      You are correct. I didn't realize the system I was on had an opendns server in its /etc/resolv.conf. Something happened late on 12/12/23 such that I had to deactivate the nextdns client on every handset in my house or the devices would see kind of cert-related errors. My router is only handing out nextdns servers via DHCP and DHCPv6. I am not sure how cisco/opendns blacklisting of nextdns.io as adult would cause this behavior. I will continue to investigate.

    • Atmis
    • 11 mths ago
    • Reported - view

    I have the same issue simultaneously on my 2 Mikrotik routers (Router OS 7.12.1)

    DoH server connection error: SSL: ssl: cert not valid (after: Tue Dec 12 23:59:59 2023 < now: Wed Dec 13 18:00:51 2023) - "CN=dns.nextdns.io" (6)

    I refreshed my root certificate, just in case, but no change. I had to move to Cloudflare DOH temporarily.

      • NextDNs
      • 11 mths ago
      • Reported - view

      please check the pined answer

      • Atmis
      • 11 mths ago
      • Reported - view

       

      Well, I don't really understand what OpenDNS is doing here, I don't use their services at all. I have setup my Mikrotik Router the way you recommend it.

      /tool fetch url=https://curl.se/ca/cacert.pem
      /certificate import file-name=cacert.pem
      /ip dns set servers=""
      /ip dns static add name=dns.nextdns.io address=45.90.28.0 type=A
      /ip dns static add name=dns.nextdns.io address=45.90.30.0 type=A
      /ip dns static add name=dns.nextdns.io address=2a07:a8c0:: type=AAAA
      /ip dns static add name=dns.nextdns.io address=2a07:a8c1:: type=AAAA
      /ip dns set use-doh-server=“https://dns.nextdns.io/xxxxxx” verify-doh-cert=yes
      

      But the issue is still here tonight

    • Atmis
    • 11 mths ago
    • Reported - view

    I also rebooted the router, issue is still there.

    • Jeff_Loughridge
    • 11 mths ago
    • Reported - view

    It indeed is the case.

     

    $ curl -v https://dns.nextdns.io
    *   Trying 146.112.61.106:443...
    * TCP_NODELAY set
    * Connected to dns.nextdns.io (146.112.61.106) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: /etc/ssl/certs
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (OUT), TLS alert, unknown CA (560):
    * SSL certificate problem: unable to get local issuer certificate
    * Closing connection 0
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: <redacted>

    curl failed to verify the legitimacy of the server and therefore could not
    establish a secure connection to it. To learn more about this situation and
    how to fix it, please visit the web page mentioned above.

    $

      • NextDNs
      • 11 mths ago
      • Reported - view

       please check the IP you are connecting to: 

      106.61.112.146.in-addr.arpa domain name pointer hit-adult.opendns.com.

      Your system resolver (OpenDNS) is redirecting your to a their blockpage because they decided since this morning that dns.nextdns.io was an adult site… We contacted them, in the meantime you will have to disable OpenDNS or use different system resolver (you could use ours) before you can connect to our DoH server.

    • Jeff_Loughridge
    • 11 mths ago
    • Reported - view

    It is indeed the case.

     

    I am blanking out URLs as that seems to get my message sent to a pending review queue.

     

    $ curl -v <DNS over HTTPS NextDNS URL>
    *   Trying 146.112.61.106:443...
    * TCP_NODELAY set
    * Connected to dns.nextdns.io (146.112.61.106) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: /etc/ssl/certs
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (OUT), TLS alert, unknown CA (560):
    * SSL certificate problem: unable to get local issuer certificate
    * Closing connection 0
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: <redacted>

    curl failed to verify the legitimacy of the server and therefore could not
    establish a secure connection to it. To learn more about this situation and
    how to fix it, please visit the web page mentioned above.

    • Captnbp
    • 11 mths ago
    • Reported - view

    Hi,

    I use DoH with mikrotik, with static entries (not using any other DNS)

    It seems only one IP behind dns.nextdns.io has an expired certificate : 45.90.28.0

    cfssl certinfo -domain 45.90.28.0:443
    {
      "subject": {
        "common_name": "dns.nextdns.io",
        "names": [
          "dns.nextdns.io"
        ]
      },
      "issuer": {
        "common_name": "ZeroSSL ECC Domain Secure Site CA",
        "country": "AT",
        "organization": "ZeroSSL",
        "names": [
          "AT",
          "ZeroSSL",
          "ZeroSSL ECC Domain Secure Site CA"
        ]
      },
      "serial_number": "120965480991335780270940007412645456290",
      "sans": [
        "dns.nextdns.io",
        "*.dns.nextdns.io"
      ],
      "not_before": "2023-09-13T00:00:00Z",
      "not_after": "2023-12-12T23:59:59Z",
      "sigalg": "ECDSAWithSHA384",
      "authority_key_id": "0F:6B:E6:4B:CE:39:47:AE:F6:7E:90:1E:79:F0:30:91:92:C8:5F:A3",
      "subject_key_id": "A3:2C:C3:8E:EF:12:3D:FE:B9:0F:10:07:8F:1E:CB:86:AE:37:EC:9E",
      "pem": "-----BEGIN CERTIFICATE-----\nMIIEIDCCA6egAwIBAgIQWwEarV14wZC11SZFju9pojAKBggqhkjOPQQDAzBLMQsw\nCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF\nQ0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIzMDkxMzAwMDAwMFoXDTIzMTIx\nMjIzNTk1OVowGTEXMBUGA1UEAxMOZG5zLm5leHRkbnMuaW8wWTATBgcqhkjOPQIB\nBggqhkjOPQMBBwNCAARjwE3Yo9xjPp1g5agcgsZJ4Q68Y6qlsHEyVkU28Cq/173m\nkg3UyyAko318UJsX8a6IcZSIrU6YjEuZoHE/idbjo4ICnTCCApkwHwYDVR0jBBgw\nFoAUD2vmS845R672fpAeefAwkZLIX6MwHQYDVR0OBBYEFKMsw47vEj3+uQ8QB48e\ny4auN+yeMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG\nCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUw\nIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCB\niAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQu\nc2VjdGlnby5jb20vWmVyb1NTTEVDQ0RvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYI\nKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGlnby5jb20wEQYIKwYB\nBQUHARgEBTADAgEFMIIBAgYKKwYBBAHWeQIEAgSB8wSB8ADuAHUArfe++nz/EMiL\nnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGKjLO5jwAABAMARjBEAiBahk+OPhxU\nLlE2ceEeKIYTkQhw2Y0Hxh6Wf7SPr9opdAIgKZtqSCepbzKXy50QMJKvo8buXJyv\no9cUenskHwzZ0pAAdQB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAA\nAYqMs7n+AAAEAwBGMEQCIGorRuD4OZiEarU5N5jev9pJTdfUsgHubgx3mwn2nYl9\nAiBKg4M85Cm2ZZzzUwxvR3P2NEfeLrlrTL93yGcJzyxtqzArBgNVHREEJDAigg5k\nbnMubmV4dGRucy5pb4IQKi5kbnMubmV4dGRucy5pbzAKBggqhkjOPQQDAwNnADBk\nAjAc949DXRnvUsvHq4i28rA08IjubvvY67/HqSxkWCMNrvd9zwaD7Fb0bwaVdpF3\nP2kCMD50i2ZURsQhtetosy5kMKXi/99JfRnlG6OuijUWm03d0Doi7PspoBgiZTGv\nvLdPFg==\n-----END CERTIFICATE-----\n"
    }

    45.90.30.0 is fine :

    cfssl certinfo -domain 45.90.30.0:443
    {
      "subject": {
        "common_name": "dns.nextdns.io",
        "names": [
          "dns.nextdns.io"
        ]
      },
      "issuer": {
        "common_name": "ZeroSSL ECC Domain Secure Site CA",
        "country": "AT",
        "organization": "ZeroSSL",
        "names": [
          "AT",
          "ZeroSSL",
          "ZeroSSL ECC Domain Secure Site CA"
        ]
      },
      "serial_number": "104429572728810159461796863158411042299",
      "sans": [
        "dns.nextdns.io",
        "*.dns.nextdns.io"
      ],
      "not_before": "2023-10-18T00:00:00Z",
      "not_after": "2024-01-16T23:59:59Z",
      "sigalg": "ECDSAWithSHA384",
      "authority_key_id": "0F:6B:E6:4B:CE:39:47:AE:F6:7E:90:1E:79:F0:30:91:92:C8:5F:A3",
      "subject_key_id": "90:A2:4E:45:9F:BC:63:82:3D:26:89:09:2C:36:91:B1:CB:84:D6:E1",
      "pem": "-----BEGIN CERTIFICATE-----\nMIIEITCCA6igAwIBAgIQTpBndGUkJDtGPdD38iOd+zAKBggqhkjOPQQDAzBLMQsw\nCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF\nQ0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIzMTAxODAwMDAwMFoXDTI0MDEx\nNjIzNTk1OVowGTEXMBUGA1UEAxMOZG5zLm5leHRkbnMuaW8wWTATBgcqhkjOPQIB\nBggqhkjOPQMBBwNCAATHvYVtSBLlq4RcC+ZAbGsE+22Ni6k/JQ4O0SV0O97L/K+5\nXfm+mQhvt+zxIx+C8swVN39dhz5MvHMdbvI+rYhyo4ICnjCCApowHwYDVR0jBBgw\nFoAUD2vmS845R672fpAeefAwkZLIX6MwHQYDVR0OBBYEFJCiTkWfvGOCPSaJCSw2\nkbHLhNbhMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG\nCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUw\nIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCB\niAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQu\nc2VjdGlnby5jb20vWmVyb1NTTEVDQ0RvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYI\nKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGlnby5jb20wEQYIKwYB\nBQUHARgEBTADAgEFMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYAdv+IPwq2+5VR\nwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQAAAGLQPJPgwAABAMARzBFAiEAjWM/hg0a\n1TFot4EhHAlB8DyMfBvhU6blNp3bFrSCQ0oCIHwHQFVQu07G6O128dr4DP1ERBG0\nY+VjzZSFJqgLx18KAHUA2ra/az+1tiKfm8K7XGvocJFxbLtRhIU0vaQ9MEjX+6sA\nAAGLQPJP1QAABAMARjBEAiA4DiCvvyl5qmpTfbqQsrqKEFdudsvVObjon+sDOMGW\n9AIgARtnXTFVme8+eO6DpglujE0raJ22lGx2jC2Alcjs4fEwKwYDVR0RBCQwIoIO\nZG5zLm5leHRkbnMuaW+CECouZG5zLm5leHRkbnMuaW8wCgYIKoZIzj0EAwMDZwAw\nZAIwL3irp8KvjtZ6X/R32zguXl/+1fpmVofZ9+FDfszyCXJJKrKK8V5wcCVEDeBB\nGkmbAjBo6HVV7mbLo5CpX0h0OGaCxAGiQFguGfBbjuvtsok/PWA49G0IUjz9Ohqh\nVBjIv0g=\n-----END CERTIFICATE-----\n"
    }

    I had to disable the static DNS entry in routerOS for 45.90.28.0 and everything went back to normal.

    Waiting for you guys tu update the expired certificate on 45.90.28.0 to enable it again as a failover ;-)

      • Captnbp
      • 11 mths ago
      • Reported - view

       

      I also checked the IPv6 static entries :

      2a07:a8c0:: has its certificate expired the same way with 45.90.28.0

      2a07:a8c1:: is OK

      • NextDNs
      • 11 mths ago
      • Reported - view

       thanks for the additional info. We found the issue, we had a one edge silently failing to get its new certificates from our control plane. We removed this host for investigation, the problem should be fixed now. Sorry for the inconvenience.

      • Jeff_Loughridge
      • 11 mths ago
      • Reported - view

       Appreciate the info. I knew that my issue wasn't OpenDns (with the exception of that company being my nameserver on that one system) as I don't use OpenDNS servers in my DHCP/DHCPv6 config in my router. Sounds like active monitoring might prevent your users from having to report this type of issue in the future.

      • NextDNs
      • 11 mths ago
      • Reported - view

       we have a tone of monitoring already, this should have never gone unnoticed but we had a bug making this one silent. It has been fixed, so it won't happen again.

Content aside

  • Status Fixed
  • 1 Likes
  • 11 mths agoLast active
  • 25Replies
  • 609Views
  • 5 Following