1

DOH certificate for Mikrotik

Hello everybody.
When I tried to use config for NextDNS on my Mikroitik, my "Free HDD space" went to 0. These certificates occupied all my free space (1000KB, AC2, ROS 7.10.2 )!!!
I was forced to make a NetInstall and restore using backup.

Here is the configuration I used.

CODE: SELECT ALL

/tool fetch url=https://curl.se/ca/cacert.pem
/certificate import file-name=cacert.pem passphrase=""
/ip dns static add name=dns.nextdns.io address=45.90.28.0 type=A
/ip dns static add name=dns.nextdns.io address=45.90.30.0 type=A
/ip dns set use-doh-server=“https://dns.nextdns.io/asdf23/mikrotik.lite22” verify-doh-cert=yes
/ip dns set servers=""
/ip/dns/cache flush

So the question is how can I import certificate specifically for Nextdns and avoid this huge list from curl.se? Can somebody please explain me how to do that?

Thanks in advance.

4 replies

null
    • Vlad_Zavadsky
    • 1 yr ago
    • Reported - view

    Anybody?

    • Pothi
    • 1 yr ago
    • Reported - view

    You don't have to download all the certificates.

    Irrespective of the DoH provider, you just have to visit the URL that provides DoH service (with nextdns, it is https://dns.nextdns.io). You'll be presented with a blank page (irrespective of the DoH provider). That's okay. All we need is the public root CA certificate. Every website comes with the following three SSL certificates...

    1. SSL certificate for the actual domain
    2. Intermediate SSL certificate
    3. Root CA Certificate.

    We need to download the public root CA certificate. The guidelines to download the public root CA certificate varies across browsers. For Firefox (desktop version), please check out... http://mzl.la/1ApHjHr

    Once you downloaded the public root CA certificate for dns.nextdns.io, copy it to your MikroTik device and import it there. From there, DoH should work as expected.

    I hope that helps.

      • Vlad_Zavadsky
      • 1 yr ago
      • Reported - view

      Pothi Kalimuthu hi! Looks like your suggestion works! Thank you! 
      But the certificate is only for 3 month, I wish there was a script to update it automatically. But this is only a thought.

      • Pothi
      • 1 yr ago
      • Reported - view

      Root CA certificate of dns.nextdns.io is valid until 2038. Anyway, here's the script to automate DoH configuration for nextdns in MikroTik devices... https://github.com/pothi/mikrotik-scripts/blob/main/doh-scripts/nextdns.rsc .

      Even when we use https://curl.haxx.se/ca/cacert.pem , we have to update the root CA certificates periodically using the scheduler in MikroTik.

Content aside

  • 1 Likes
  • 1 yr agoLast active
  • 4Replies
  • 2129Views
  • 2 Following