Your Connection is Untrusted/Not Private - *.opendns.com or *.cisco.com Certificate Error that cannot be bypassed
GOOD NEWS! A solution for this problem that is easier to manage and persistent for all sites is now available!
As a result, the information below is still applicable but can now be worked around with a permanent solution. We encourage you to try installing the Cisco Root CA with this article:
This article is a guide for when a certificate error for *.opendns.com or *.cisco.com appears, but is not able to be bypassed by adding a certificate exception as outlined in this article: https://support.opendns.com/entries/42398824. In this case, follow the steps below to allow the certificate error to be cleared.
When you're unable to bypass the certificate error by adding an exception, this is because of the implementation of HTTP Strict Transport Security (HSTS) or pre-loaded Certificate Pinning in modern browsers. In essence, communication between certain browsers and certain websites is done in a way that 'bakes in' the requirement to use HTTPS and no bypass or exception is possible. This extra security for HTTPS pages prevents the OpenDNS block page and bypass block page mechanism from working when HSTS is active for a website. For more information about HSTS, please refer to this article.
So, if you're seeing a certificate error in Google Chrome or Mozilla Firefox or Safari that cannot be bypassed and you are trying to access the bypass login, this article is for you!
There are a few ways to resolve these sorts of issues. First, we'll discuss how to use more granular policies to workaround this issue. Second, there are a couple of browser tweaks that can be made but these are isolated to a subset of the browsers affected by this issue.
Policy Management and the Roaming Client (Requires Umbrella Subscription)
Proper policy management is the best solution to this problem because the browser will not receive a failed validation response in the first place. If some of your users should be permitted to access sites that they would normally need to use Block Page Bypass to access, you should instead configure a separate policy for these users and add the domains that they should be allowed to use to the Allow List. Since the users' requests are never blocked, the browser will never receive a request from a domain with a mismatched certificate. One way to deliver these sorts of specific policies with the Umbrella Roaming Client.
In essence, you are putting certain domains in an allow list for certain users at all times of the day in order to workaround these errors.
There can be issues with your network configure or acceptable usage (HR) policy that prevent this solution. Policy Management is not an effective solution if users are allowed to visit these domains only at given times, such as their lunch break. OpenDNS is unable to provide a time-based policy application with our service, so simply allowing a user to access at site all the time could be problematic. On a shared computer, such as a public terminal, the Roaming Client can't differentiate between different users and cannot easily allow the right domains for the right people.
Policy Management is not as effective when considering non-granular identities, such as Sites or Networks, unless the administrator is comfortable given all users of that network the same access. Policy Management works best when applied to a subset of users that should be allowed to access sites while the rest of the network cannot, and singling out those users by installing the Roaming Client on their machines and applying the proper policy hierarchy.
Ignoring Certificate Exception errors (Chrome for Windows only)
Only Chrome for Windows can be configured to ignore Certificate Exception errors, which will mitigate this error. The browser is told to ignore the error and the normal OpenDNS block page will be seen instead.
These configuration change must be made on a per-computer basis, which makes it difficult for large scale environments, but it does work. Please read how to configure Chrome (Windows Only) here
Firefox, Safari and Chrome for Mac OS X
Firefox, Safari and Chrome for Mac OS X cannot be configured to ignore certificate exceptions errors for pinned domains, and will always honor the HSTS list. There are no known workaround for this these errors, although if you are aware of a workaround you are welcome to use it (and please let us know if it works for you!)
Internet Explorer does not implement HSTS restrictions. As a result, IE does not need to be configured and will not display this error. This is subject to change in future versions of IE should Microsoft choose to implement HSTS in the browser.