topic Re: After configuring OpenDNS, cannot access https sites in OpenDNS

After configuring OpenDNS, cannot access https sites

ggidd — Fri, 20 Jan 2017 14:55:52 GMT

Greetings.

Yesterday I configured OpenDNS and finally got it working when I turned off SecureDNS in Avast! pro. Now, though, when I try to access some sites with https such as https://news.google.com and https://www.facebook.com with Google Chrome, Internet Explorer 11 or Microsoft Edge, I get the message

Chrome:

Your connection is not private

Attackers might be trying to steal your information from www.facebook.com (for example, passwords, messages, or credit cards).

NET::ERR_CERT_AUTHORITY_INVALID

Certificate Error: Navigation Blocked

There is a problem connecting securely to this website.

The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

You should close this webpage.

Click here to close this webpage.

More information
If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.

For more information, see "Certificate Errors" in Internet Explorer Help.

I have run the OpenDNS diagnostic tool, but the results don't mean much to me.

Is this a common problem? How shall I proceed to be able to access unblocked sites?

Re: After configuring OpenDNS, cannot access https sites

ggidd — Fri, 20 Jan 2017 17:08:51 GMT

I resolved this by installing the Cisco_Umbrella_Root_CA certificate.

Re: After configuring OpenDNS, cannot access https sites

rotblitz — Fri, 20 Jan 2017 18:08:37 GMT

Well done! Here is the related KB article.

Re: After configuring OpenDNS, cannot access https sites

jprokos — Fri, 27 Oct 2017 15:38:50 GMT

Yes, where exactly is the SHA 256 Fingerprint for the Cisco Umbrella Root CA?. This certificate shows as, "Not Verified" on my iOS device.

Apple's website has a different fingerprint and serial number than the one shown in the "Cisco Umbrella Root CA" certificate.

Without a published Fingerprint hard to trust.

Re: After configuring OpenDNS, cannot access https sites

rotblitz — Fri, 27 Oct 2017 16:38:11 GMT

Here's the SHA1 fingerprint:

c5 09 11 32 e9 ad f8 ad 3e 33 93 2a e6 0a 5c 8f a9 39 e8 24

Re: After configuring OpenDNS, cannot access https sites

jprokos — Fri, 27 Oct 2017 16:45:17 GMT

Thank you. Is this posted on the site somewhere or is it from your copy of the CA?

Can you explain what all of these warning messages mean? Am I giving Cisco access to all the data I send while browsing?

There is another setting in iOS under Settings>General>Certificate Trust Settings: Enable Full Trust For Root Certificates

The Cisco Umbrella Root CA is listed here with a slider to enable or not. Should we enable?

Re: After configuring OpenDNS, cannot access https sites

rotblitz — Mon, 06 Nov 2017 20:03:36 GMT

"Is this posted on the site somewhere or is it from your copy of the CA?"

This is from the certificate itself.

"Can you explain what all of these warning messages mean?"

You may want to raise a support ticket with OpenDNS if you are concerned. We other users can hardly help you further. We are generally in the same situation like you as user.

Re: After configuring OpenDNS, cannot access https sites

Terabyte — Fri, 17 Nov 2017 22:56:56 GMT

So wait, let me get this straight, to access https sites, I'm going to have to install this cert on any system that uses my network? So when a guest comes to my house I have to hit them at the door with: Dude, you have to do this to use my WiFi? Come on, how's that even remotely logical??? I cannot imagine why anyone would even consider using this service if you have to do that.

Re: After configuring OpenDNS, cannot access https sites

rotblitz — Sat, 18 Nov 2017 14:50:04 GMT

"to access https sites, I'm going to have to install this cert on any system that uses my network?"

No, in no way! This browser certificate warning only appears if you attempt to visit a HTTPS site where you have the domain blocked with your OpenDNS dashboard settings anyway. You simply can also accept or ignore this browser warning instead of installing the CA cert. It's up to you. The warning does never come up if you visit a HTTPS site normally where you did not block related domains.

It seems you didn't read the KB article https://support.opendns.com/hc/en-us/articles/227987007 at all.

Re: After configuring OpenDNS, cannot access https sites

Terabyte — Sat, 18 Nov 2017 14:55:32 GMT

So you're telling us that Cisco cannot afford to buy a real cert to do this? For businesses using this how does that not cause TONS of confusion on networks such as guest access WiFi?

Re: After configuring OpenDNS, cannot access https sites

rotblitz — Sat, 18 Nov 2017 16:12:09 GMT

I see, you still did not read that KB article, else you would have seen that you can download the real cert bought by Cisco from there. Also, why are you concerned? These domains which you access with HTTPS are blocked anyway by your settings, independent of if you get an OpenDNS block page or a browser warning. You have achieved what you are looking for, that the domain is being blocked and you cannot access it. That was the goal and purpose.

Re: After configuring OpenDNS, cannot access https sites

Terabyte — Sat, 18 Nov 2017 16:21:40 GMT

Actually Rotblitz, I did. This is NOT a real cert. A real cert would be issued by a root cert provider such that users don't have to install them manually. Imagine having to download a cert for every HTTPS site, say your bank, Amazon, Google, etc..??? Users would NEVER do that. There's a reason why legit sites use real certs that don't require manual interaction.

What you don't get is users get confused, frustrated, and contact who's ever in charge of the network about errors like this. In a large business where certs can be deployed to users by group policy that's simple, but for a small business with a guest WiFi network, those guests are going to get errors and are going to pester the employees about the issues. Why can't they buy a legit cert from a legit provider like Verisign or if they're too cheap, just get one from one of the super inexpensive SSL providers like RapidSSL or GoDaddy?

Re: After configuring OpenDNS, cannot access https sites

rotblitz — Sat, 18 Nov 2017 17:26:48 GMT

Ok, you might have read it, but you clearly didn't understand it.

"This is NOT a real cert."

The cert is issued by a CA root cert provider. Cisco is such a certified provider, since ions. Didn't know?

"Imagine having to download a cert for every HTTPS site"

Agreed, a nightmare! Good that this is not needed at all. Why do you think you have to download certs for every HTTPS site? Not at all! Why would you download a cert for a HTTPS site you don't want to have visited and therefore have its domain blocked at the dashboard? No need! It would be nonsense to do so. The domain is being blocked anyway.

"guests are going to get errors and are going to pester the employees about the issues."

LOL, very unlikely. If you were a guest and attempted to visit youporn.com, would you complain with your host or the employees that you couldn't access youporn.com, because you got a browser warning "Your connection is not private"? Hardly! Else you are extremely courageous. (Well, after what you said, I could really imagine that you did it this way, not being aware of the reputation loss.)

"Why can't they buy a legit cert from a legit provider like Verisign"

I see, you didn't get that this cert is legit, and they are a provider like Verisign, and that this symptom would be for any certificate, no matter which one, also from Verisign. I give up. You don't want to understand. It is your right in a free world to not understand. Be it!

Re: After configuring OpenDNS, cannot access https sites

Terabyte — Sat, 18 Nov 2017 17:33:53 GMT

If it were a real root cert there would be NO need to download and install it. That's how root certs work. When you want to have a conversation about SSL certs, chaining, and non-root certs let me know, I'll be happy to explain them. Until then, this is a jury rigged solution. Also, when you spend 16 hours a day providing IT support let me know and we'll talk about what errors users bring to the powers-that-be. Until then, have a nice day.

Re: After configuring OpenDNS, cannot access https sites

rotblitz — Sat, 18 Nov 2017 17:59:34 GMT

No, I only spend 8 hours per day with ICT, since 35 years. Probably not enough...

As I said, it is your right to not understand. I accept and tolerate this.

"If it were a real root cert there would be NO need to download and install it."

Fully correct, you say it. There is no need to download and install it. And it is a real root cert, but not published in the bundle of root certs by Microsoft, Apple, Google, etc. It wouldn't make sense to publish it this way, with "only" 2% of the internet users using Cisco/OpenDNS services. This "small" amount wouldn't justify to propagate it to every device in the world.

Re: After configuring OpenDNS, cannot access https sites

Terabyte — Sat, 18 Nov 2017 22:44:09 GMT

Then with what you're saying I can create a root cert and just let everyone have access to my certificate authority server and call it a root certificate. That's beyond illogical. If Cisco can't get their root cert distributed by at least one of the major OS vendors then it's not a real root cert, it's an internal cert being distributed to anyone who wants it. There's a very real difference. In point of fact, since there's no way to verify the legitimacy of the cert since it's not coming from a trusted root authority that's a potential security risk.

Re: After configuring OpenDNS, cannot access https sites

rotblitz — Mon, 20 Nov 2017 11:22:45 GMT

What about raising your concerns with Cisco/OpenDNS instead of discussing it to death with other users like me? This is fruitless. Nobody here can speak for Cisco/OpenDNS.

Your initial question was: "to access https sites, I'm going to have to install this cert on any system that uses my network?". This has been answered. Again, the summary of the answers is: No, you don't have to install this cert, especially not to access HTTPS sites. You cannot access these HTTPS sites anyway, because you have them blocked via your dashboard settings, so that they cannot be accessed, exactly as you intended. You have achieved what you wanted. Non-blocked HTTPS sites can always be accessed as usual, without ever using this cert.

Your other later concerns are pretty out of scope and unrelated to the topic, to my opinion.

Re: After configuring OpenDNS, cannot access https sites

Terabyte — Mon, 20 Nov 2017 15:56:36 GMT

I simply replied to your assertions. If you don't want a reply, don't post one.

Re: After configuring OpenDNS, cannot access https sites

Anonymous — Tue, 18 Feb 2020 20:30:23 GMT

I am @tubaornottuba on this one -- The Cisco Umbrella Root CA is not trusted by Windows. Per the referenced OpenDNS KB, yes, we could publish the Root CA via GPO to all Windows machines, but that would not resolve the issue with Macs, Linux/Unix, and non-employee machines, such as guests/vendors.

Cisco should work with the OS vendors to ensure that their Root CA gets automatically trusted. With that said, I have not yet looked into why they haven't done that since this thread (late 2017).

Re: After configuring OpenDNS, cannot access https sites

rotblitz — Tue, 18 Feb 2020 20:35:06 GMT

If you implemented the cert on a Mac or Linux machine, it will help too, not on Windows machines alone.