After configuring OpenDNS, cannot access https sites

Comments

22 comments

  • Avatar
    ggidd

    I resolved this by installing the Cisco_Umbrella_Root_CA certificate.

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Well done!  Here is the related KB article.

    0
    Comment actions Permalink
  • Avatar
    jprokos

    Yes, where exactly is the SHA 256 Fingerprint for the Cisco Umbrella Root CA?. This certificate shows as, "Not Verified" on my iOS device.

    Apple's website has a different fingerprint and serial number than the one shown in the "Cisco Umbrella Root CA" certificate.

    Without a published Fingerprint hard to trust.

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Here's the SHA1 fingerprint:

    c5 09 11 32 e9 ad f8 ad 3e 33 93 2a e6 0a 5c 8f a9 39 e8 24
    0
    Comment actions Permalink
  • Avatar
    jprokos (Edited )

    Thank you. Is this posted on the site somewhere or is it from your copy of the CA?

    Can you explain what all of these warning messages mean? Am I giving Cisco access to all the data I send while browsing?

    There is another setting in iOS under Settings>General>Certificate Trust Settings: Enable Full Trust For Root Certificates

    The Cisco Umbrella Root CA is listed here with a slider to enable or not. Should we enable?



     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "Is this posted on the site somewhere or is it from your copy of the CA?"

    This is from the certificate itself.

    "Can you explain what all of these warning messages mean?"

    You may want to raise a support ticket with OpenDNS if you are concerned.  We other users can hardly help you further.  We are generally in the same situation like you as user.

    0
    Comment actions Permalink
  • Avatar
    tubaornottuba

    So wait, let me get this straight, to access https sites, I'm going to have to install this cert on any system that uses my network?  So when a guest comes to my house I have to hit them at the door with: Dude, you have to do this to use my WiFi?  Come on, how's that even remotely logical???  I cannot imagine why anyone would even consider using this service if you have to do that.

    1
    Comment actions Permalink
  • Avatar
    rotblitz

    "to access https sites, I'm going to have to install this cert on any system that uses my network?"

    No, in no way!  This browser certificate warning only appears if you attempt to visit a HTTPS site where you have the domain blocked with your OpenDNS dashboard settings anyway.  You simply can also accept or ignore this browser warning instead of installing the CA cert.  It's up to you.  The warning does never come up if you visit a HTTPS site normally where you did not block related domains.

    It seems you didn't read the KB article https://support.opendns.com/hc/en-us/articles/227987007 at all.

    -2
    Comment actions Permalink
  • Avatar
    tubaornottuba

    So you're telling us that Cisco cannot afford to buy a real cert to do this?  For businesses using this how does that not cause TONS of confusion on networks such as guest access WiFi?  

    1
    Comment actions Permalink
  • Avatar
    rotblitz

    I see, you still did not read that KB article, else you would have seen that you can download the real cert bought by Cisco from there.  Also, why are you concerned?  These domains which you access with HTTPS are blocked anyway by your settings, independent of if you get an OpenDNS block page or a browser warning.  You have achieved what you are looking for, that the domain is being blocked and you cannot access it.  That was the goal and purpose.

    -2
    Comment actions Permalink
  • Avatar
    tubaornottuba

    Actually Rotblitz, I did.  This is NOT a real cert.  A real cert would be issued by a root cert provider such that users don't have to install them manually. Imagine having to download a cert for every HTTPS site, say your bank, Amazon, Google, etc..???  Users would NEVER do that.  There's a reason why legit sites use real certs that don't require manual interaction.  

    What you don't get is users get confused, frustrated, and contact who's ever in charge of the network about errors like this.  In a large business where certs can be deployed to users by group policy that's simple, but for a small business with a guest WiFi network, those guests are going to get errors and are going to pester the employees about the issues.  Why can't they buy a legit cert from a legit provider like Verisign or if they're too cheap, just get one from one of the super inexpensive SSL providers like RapidSSL or GoDaddy?

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    Ok, you might have read it, but you clearly didn't understand it.

    "This is NOT a real cert."

    The cert is issued by a CA root cert provider.  Cisco is such a certified provider, since ions.  Didn't know?

    "Imagine having to download a cert for every HTTPS site"

    Agreed, a nightmare!  Good that this is not needed at all.  Why do you think you have to download certs for every HTTPS site?  Not at all!  Why would you download a cert for a HTTPS site you don't want to have visited and therefore have its domain blocked at the dashboard?  No need!  It would be nonsense to do so.  The domain is being blocked anyway.

    "guests are going to get errors and are going to pester the employees about the issues."

    LOL, very unlikely.  If you were a guest and attempted to visit youporn.com, would you complain with your host or the employees that you couldn't access youporn.com, because you got a browser warning "Your connection is not private"?  Hardly!  Else you are extremely courageous.  (Well, after what you said, I could really imagine that you did it this way, not being aware of the reputation loss.)

    "Why can't they buy a legit cert from a legit provider like Verisign"

    I see, you didn't get that this cert is legit, and they are a provider like Verisign, and that this symptom would be for any certificate, no matter which one, also from Verisign.  I give up.  You don't want to understand.  It is your right in a free world to not understand.  Be it!

    -2
    Comment actions Permalink
  • Avatar
    tubaornottuba

    If it were a real root cert there would be NO need to download and install it.  That's how root certs work.  When you want to have a conversation about SSL certs, chaining, and non-root certs let me know, I'll be happy to explain them.  Until then, this is a jury rigged solution.  Also, when you spend 16 hours a day providing IT support let me know and we'll talk about what errors users bring to the powers-that-be.  Until then, have a nice day.

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    No, I only spend 8 hours per day with ICT, since 35 years.  Probably not enough...

    As I said, it is your right to not understand.  I accept and tolerate this.

    "If it were a real root cert there would be NO need to download and install it."

    Fully correct, you say it.  There is no need to download and install it.  And it is a real root cert, but not published in the bundle of root certs by Microsoft, Apple, Google, etc.  It wouldn't make sense to publish it this way, with "only" 2% of the internet users using Cisco/OpenDNS services.  This "small" amount wouldn't justify to propagate it to every device in the world.

    0
    Comment actions Permalink
  • Avatar
    tubaornottuba

    Then with what you're saying I can create a root cert and just let everyone have access to my certificate authority server and call it a root certificate.  That's beyond illogical.  If Cisco can't get their root cert distributed by at least one of the major OS vendors then it's not a real root cert, it's an internal cert being distributed to anyone who wants it.  There's a very real difference.  In point of fact, since there's no way to verify the legitimacy of the cert since it's not coming from a trusted root authority that's a potential security risk.

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    What about raising your concerns with Cisco/OpenDNS instead of discussing it to death with other users like me?  This is fruitless.  Nobody here can speak for Cisco/OpenDNS.

    Your initial question was: "to access https sites, I'm going to have to install this cert on any system that uses my network?".  This has been answered.  Again, the summary of the answers is: No, you don't have to install this cert, especially not to access HTTPS sites.  You cannot access these HTTPS sites anyway, because you have them blocked via your dashboard settings, so that they cannot be accessed, exactly as you intended.  You have achieved what you wanted.  Non-blocked HTTPS sites can always be accessed as usual, without ever using this cert.

    Your other later concerns are pretty out of scope and unrelated to the topic, to my opinion.

    -1
    Comment actions Permalink
  • Avatar
    tubaornottuba

    I simply replied to your assertions.  If you don't want a reply, don't post one.

    0
    Comment actions Permalink
  • Avatar
    Permanently deleted user

    I am @tubaornottuba on this one -- The Cisco Umbrella Root CA is not trusted by Windows. Per the referenced OpenDNS KB, yes, we could publish the Root CA via GPO to all Windows machines, but that would not resolve the issue with Macs, Linux/Unix, and non-employee machines, such as guests/vendors.

    Cisco should work with the OS vendors to ensure that their Root CA gets automatically trusted. With that said, I have not yet looked into why they haven't done that since this thread (late 2017).

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    If you implemented the cert on a Mac or Linux machine, it will help too, not on Windows machines alone.

    0
    Comment actions Permalink
  • Avatar
    Permanently deleted user

    rotblitz That would be correct, but it's an additional step an enterprise would have to implement through device management tools. It also would present a problem for guests/vendors coming to visit our sites. I see your point about the sites being blocked anyway, but the unfriendly "site is not trusted" warning before they see the Umbrella page is not very user friendly nor does it make the host company (us) look professional.

    Ideally, when a user visits a blocked site (such as media.netflix.com -- not a porn site), they would be sent straight to our company's Umbrella page where they get to enter in a Bypass Code, as an example.

    The simplest solution would be for Cisco to contact the various OS vendors and have their Root CA published to the operating systems so they are automatically trusted. The fact that Cisco doesn't seem to have done that since 2017 tells me that either Cisco got lazy or the OS vendors aren't trusting Cisco's certs (which I am currently in the process of researching to see if that is indeed the case.)

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Thanks for letting us other users know and for sharing your opinion. Now life goes on, and we too.

    0
    Comment actions Permalink
  • Avatar
    Permanently deleted user

    For those curious, after some research, here is why Cisco's Root CA is not trusted by operating systems... This article explains it well: https://vinoshipper.freshdesk.com/support/solutions/articles/9000179931-your-connection-is-not-private

    Basically, Cisco’s Root Umbrella CA cannot be trusted because 1) it does not adhere to strict guidelines of when a Root CA can be trusted publicly, and 2) a Root CA cannot be trusted whose chain’s sole purpose is to spoof other domains like a Man-in-the-middle attack (as explained in the above URL).

    0
    Comment actions Permalink

Please sign in to leave a comment.