NET::ERR_CERT_AUTHORITY_INVALID, but only for YouTube...

johnny_canuck · ‎09-16-2018

Running an Acer 14-inch Chromebook (hereafter, CB), which is currently at 68.0.344.118 (64-bit) - stable channel. CB picking up DNS from my router, which is set to use OpenDNS addresses. On said CB, I can access most sites without error, but when I try to access YouTube, system throws the always popular

NET::ERR_CERT_AUTHORITY_INVALID

Tried all the usual tricks CB users know about (confirming clock is correct, trying as guest, flushed DNS, etc, etc). Makes no difference. Heck, I even went into

chrome://net-internals/#hsts

and blew away the certs for HSTS (which is what YouTube uses). Nada. Everything short of a PowerWash, which I suppose is the Draconian 'last chance step'.

What puzzles me is that 100% of the other devices in my domicile connect to YouTube just fine -- tablets, PS4, Windows laptops, Windows desktops, etc, all from the same router configured to use OpenDNS, - just not my Chromebook.

Now, the kcker, if I fire up the Chromebook, and manually override the DNS being picked up from the router, and get it to use Google (or any other DNS for that matter), YouTube works as it should. The problem seems to be entirely with using OpenDNS on the CB.

Suggestions? I personally am not too fussed, except that (i) my better half and kid use the Chromebook to watch YouTube vidss with some frequency, (ii) for a lot of reasons, I prefer to use OpenDNS for all my devices, and (iii) since I'm the 'tech guy', the fact that they can't is entirely 'my fault' (clearly). And, as the tech guy, I refuse to 'be beaten', if you know what I mean.

Suggestions/pointers to the obvious appreciated.

rotblitz · ‎09-17-2018

Does this help? https://support.opendns.com/hc/en-us/articles/227988787

johnny_canuck · ‎09-17-2018

No, since it doesn't apply to Chromebnooks (that I can see). I tried various 'competing' DNS (Level 3, Cloudflare, even good old Google), and they all worked *perfectly* with YouTube. The only one causing the problem is OpenDNS.

rotblitz · ‎09-17-2018

If OpenDNS causes problems, then you have most likely certain domains or categories of domains blocked with your dashboard settings. The other mentioned DNS services cannot be customized this way. Visit https://dashboard.opendns.com/stats/all/blockeddomains to see what related domains are being blocked to unblock or whitelist them.

johnny_canuck · ‎09-17-2018

OK, except that I've never used the 'Dashboard' -- I simply use the DNS addresses for the 'family protection' plan, which is hard-coded at the OpenDNS side of things -- not on my end. And, YoutUbe *used* to work fine, but doesn't at present using OpenDNS -- with absolutely no involvement on my end whatsoever. So, back to OepnDNS.

rotblitz · ‎09-17-2018

"I've never used the 'Dashboard'"

This may well be the problem. You may have inherited the IP address of another OpenDNS user who did not keep his IP address information updated at OpenDNS. So now you're using this user's dashboard settings. The FamilyShield addresses do not prevent this from happening.

The output of the following diagnostic command can reveal these facts:

nslookup -type=txt debug.opendns.com. 208.67.220.123

If the fields "originid", "actype" and "bundle" are not zero, then you're using another user's dashboard settings. Your best bet is to obtain another IP address from your ISP. Or raise a support ticket with mentioning your current IP address, link "Submit a request" above. Staff will release the IP address from its current registration then.

"So, back to OepnDNS."

Not sure what you're saying here. It didn't come from OpenDNS, so cannot go back. I'm just an OpenDNS user like you.

johnny_canuck · ‎09-17-2018

Well, if the ip has migrated from another OpenDNS user, then (i) why is it that this only affects my Chromebook (and, as it turns out, PS4), and not any other laptop or networked device that are all pulling from the same router, and (ii) the problem doesn't go away if I reset the line (manually, by rebooting the DSL model that bridges to the router, or by getting one of my cronies at Verizon to do a line re-set from 'their end'), said process giving me a new ip, which shoul mitigate the chance that I'm using another user's 'Dashboard settings'.

Frankly, I find the fact that I could 'inherit' something from another user without some sort of authentication a bit frightening at several levels.

rotblitz · ‎09-18-2018

I'm afraid I as user ran out of ideas. Please raise a support ticket, link "Submit a request" above.

If staff find a solution for you, it would be great if you posted it here.