The DNS Provider Quad9 will change the certificates used by its „DNS over HTTPS“ service, those new certificates are signed from a different DigiCert Root CA as the one used before.
For most systems and devices it will not be a problem, except for systems using Mikrotiks RouterOS.
As Mikrotik RouterOS doesn’t ship a root certificate store like you might know from Windows, macOS or Linux, therefore we need to manually import the new CA and the CRL.
This is only needed if you are using the DNS over HTTPS feature configured like this:
Or the same configuration when viewed from the commandline:
/ip dns
set use-doh-server=https://dns.quad9.net/dns-query verify-doh-cert=yes
The change to the new certificate will start at approximately July 29th, 2024, at 07:00 UTC.
The new certificate should be imported via the following CLI commands in Mikrotik RouterOS:
/tool/fetch mode=https url="https://cacerts.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-1.crt.pem"
/certificate/import file-name=DigiCertGlobalG3TLSECCSHA3842020CA1-1.crt.pem
One thing that is not described in the documentation from Quad9 is that you also manually need to add the CRL location to Mikrotik RouterOS.
The CRL location can be added using this command:
http://crl3.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-2.crl
Activating the “Verify DoH Certificate” in the DNS Settings without adding the CRL will result in a not-working DNS with error messages like this in the logfiles of your RouterOS device:
This is the link to the documentation from Quad9 which describes the settings to configure DNS over HTTPS on Mikrotik RouterOS:
https://docs.quad9.net/Setup_Guides/Open-Source_Routers/MikroTik_RouterOS_%28Encrypted%29
Schreibe einen Kommentar