Articles in this section

See more

*.opendns.com Certificate errors - Adding Exceptions

Avatar
Alexander Harrison
Updated
Follow

Overview: *.opendns.com or *.cisco.com certificate errors: adding an exception to the browser.

 

  

GOOD NEWS!  A solution for this problem that is easier to manage and persistent for all sites is now available!  

As a result, the information below is still applicable but can now be worked around with a permanent solution.  We encourage you to try installing the Cisco Root CA with this article:

https://support.opendns.com/entries/98279288

 

 

 

 

Why does this occur?

This error is caused by a HTTPS site's certificate expecting to load the original site (like internetbadguys.com, facebook.com, twitter.com) but is being redirected to the OpenDNS block page which the certificate is not signed for.  Effectively, the block page is appearing instead of the certificate that the browser (correctly) expects and it's warning you there may be a problem with the connection.  In fact, there is an issue:  OpenDNS is intercepting the request and blocking it, as per the policies you've configured.   This is fully expected given the way in which browser security is designed. The warnings and browser behavior vary slightly between Chrome, Safari, and Firefox, but the root cause is the same in all cases.

When using Block Page Bypass, the scenario changes slightly. Block Page Bypass is essentially an HTTP proxy, and when you request items over HTTPS, we present you an OpenDNS certificate from our block page since we're not able to impersonate other certificates or identities. Once you bypass an HTTPS site, your traffic is then going through the OpenDNS proxy server. This proxy server is using a certificate registered to "*.opendns.com" which is not valid for the domain requested.

The error can be confusing to users and you may wish to stop it from appearing.  These messages are all written to sound dangerous and menacing; however, in the case of OpenDNS exceptions, this is expected due to the redirection method of how our blocking service works.  It is completely safe to add *.opendns.com security exceptions!

The errors can be avoided in some or all cases.  To remove this error, you will need to add an exception. Instructions are presented below for the major three browsers that have certificate errors.

 

HSTS: A Special Case for Certificate Errors.

 

 

There is a special case that isn't covered by the instructions below. If your error does not include the ability to add an exception, this means that the error is a certificate pinning error that is most likely due to an active login session active at the website, and that Chrome, Safari, or Firefox has detected this as a "session hijack" . The solution is to clear your browser's cache (Instructions at http://www.opendns.com/support/article/68) and refresh the page to return to the certificate error that may be added as an exception and hidden. For more information on the special non-bypassable certificate pinning error and how to bypass it, please see our KB article at https://support.opendns.com/entries/42404534

Safari - Adding an Exception

 

 

1.jpg

Click 'Show Certificate' to reveal the full details:

2.jpg

If the certificate looks good to you, check the 'Always trust <name> when connecting to <server name> and click 'Continue'. You will be asked to provide your password to authorize the addition of this certificate to your keychain.

Firefox - Adding an Exception

 

 

The Firefox certificate error looks like the below message. The following three images will explain how to add the exception. 

3.jpg

First, click "I Understand the Risks"

4.jpg

Then, choose "Add Exception"

5.jpg

Check the box for "Permanently store this exception" and then click Confirm Security Exception

If your error does not include the ability to add an exception, this means that the error is a certificate pinning error that is most likely due to an active login session active at the website, and that Firefox has detected this as a session hijack. The solution is to clear your browser's cache (Instructions at http://www.opendns.com/support/article/68) and refresh the page to return to the certificate error that may be added as an exception and hidden. For more information on the special non-bypassable certificate pinning error and how to bypass it, please see our KB article at https://support.opendns.com/entries/42404534

Chrome - Adding an Exception

 

 

Chrome has only one button to Proceed anyway. This will add the security exception for the course of the browser session.  Unfortunately, it may return later, so please be aware that it does not store it permanently like Firefox. 

6.jpg

If your error includes the words "Cannot connect to the real..." and does not include the ability to add an exception (no "Proceed Anyway" button), this means that you have an active login session active at the website, and that Chrome has detected this as a session hijack. The solution is to clear your browser's cache (Instructions at http://www.opendns.com/support/article/68) and refresh the page to return to the certificate error that may be added as an exception and hidden.  For more information on the special non-bypassable certificate pinning error and how to bypass it, please see our KB article at https://support.opendns.com/entries/42404534

Internet Explorer - Adding an Exception

 

 

For Internet Explorer, if you see a security certificate prompt, choose "Continue to this website" to bypass the prompt. Like Chrome, it will store the exception for your current session.

To permanently hide all certificate errors, which may make it difficult to spot legitimate certificate errors not due to blocked domains, see the steps here at this third party resource.

7.jpg

Related articles