1

NextDNS cli on router begins failing due to device root CA. Journey to recovery.

I've been using the next dns cli / daemon on my router to provide name resolution to all my networks. Very recently, DNS began failing network wide. I'm sharing the steps I took to become operational in case anyone else has a similar problem.

 

When I log into the router and check the nextdns logs I see the following:

extdns[3565]: Endpoint failed: https://dns2.nextdns.io#45.90.30.0,2a07:a8c1::: roundtrip: x509: certificate signed by unknown authority (subject=CN=Sectigo Public Server Authentication Root E46,O=Sectigo Limited,C=GB, issuer=CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US)

This looks like the root certificates are stale on the device which is blocking tls connections to the service. No problem, the ca-certificates package doesn't have any code dependencies and should install new root CA certs. I go ahead and download the package from https://packages.debian.org/sid/all/ca-certificates/download and try to install but run into a new issue.

 

target dpkg-deb: error: archive 'ca-certificates_20260223_all.deb' contains not understood data member control.tar.xz, giving up dpkg: error processing ca-certificates_20260223_all.deb (--install): subprocess dpkg-deb --control returned error exit status 2

The installed version of dpkg on the device doesn't have support for packages compressed with xz. The sensible thing to try here is to rebuild the package on a different machine using gzip instead of xz. 

 

dpkg-deb -R ca-certificates_20260223_all.deb extracted/
dpkg-deb --build -Zgzip extracted/ ca-certificates_20260223_gzip.deb

Installing the gzipped package now has a dependency issue! Of course, it can't be that easy -- but new errors are good errors.

 

ca-certificates requires openssl >= 1.1.1 the version I have is openssl on system is ...<not >= 1.1.1>

Attempting to upgrade openssl would be a complete nightmare. Instead, I try to remove the dependency on openssl. The available version should be compatible with 1.1.1.. The risks are the new certs contain ciphers that openssl doesn't understand. The chances are slim but just in case, I make a backup of the current install in case I need to roll things back.

 

BK="$HOME/cacerts-backup-$(date +%Y%m%d-%H%M%S)"
mkdir -p "$BK/dpkg-info"
dpkg-query -W -f='${Package} ${Version} | ${Status}\n' ca-certificates > "$BK/version.txt" 2>&1
cp -a /var/lib/dpkg/info/ca-certificates.* "$BK/dpkg-info/"
sed -n '/^Package: ca-certificates$/,/^$/p' /var/lib/dpkg/status > "$BK/status-stanza.txt"
tar czf "$BK/trust-backup.tgz" \
  /etc/ssl/certs /usr/share/ca-certificates /etc/ca-certificates.conf /etc/ca-certificates \
  2>/dev/null
tar tzf "$BK/trust-backup.tgz" >/dev/null && echo "backup OK -> $BK" || echo "BACKUP BAD - stop"

 

Next, I rebuild the package again, using gzip and without the openssl dependency.

 

dpkg-deb -R ca-certificates_20260223_all.deb x
sed -i 's/openssl (>= 1.1.1)/openssl/' x/DEBIAN/control
dpkg-deb --build -Zgzip x ca-certificates_20260223_relaxed.deb

Install the new certificates on the router and start up the nextdns daemon. Works like a charm :).

Reply

null
Login to reply

Content aside

  • 1 Likes
  • 8 hrs agoLast active
  • 8Views
  • 1 Following