Hi,

Today, all of the sudden, without doing any changes to Mikrotik, I lost internet connection. After some investigation I've found this fault message:
I know that there are tons of forum entries about this topic. I just wanted to ask if there is somebody else using QUAD9 DoH servers and can confirm that problem exists. I do not know whether it is problem at Mikrotik side (I doubt as I did not make any changes nor updates) or something is really wrong with Quad9 certificates.

The only way to workaround this issues is to remove tick mark from Verify DoH Certificate. Then it works. For safety reasons I went back to ISP DNS servers until I find out what is going on.

Would appreciate any help or ideas what to check.

Regards

If you want to check "Verify DoH Certificate" (which you obviously do), you hwave to make sure the MikroTik has the Root CA installed.

Check this blog that explains the steps to get it to work:
https://www.shellhacks.com/mikrotik-dns ... loudflare/

Thanks for reply.

As I said, everything was working without any issues until today, this is not new setup. It was fully working setup until it stopped all of the sudden today. And yes, I have already had Root CA certificate, but it was a bit different than in the post you mentioned. I was using this one:

Could it be that the imported certificate is expired or renewed?

I thought about that. Certificate is valid until 2031 and I have also downloaded new version in case it was renewed. Still same issue. I have also checked date and time on router and it is ok.

It is strange as it happened all of the sudden. Internet was just gone without doing anything.

If Root CA is used by Mikrotik to validate DoH certificate, could it be problem then on Mikrotik side? Anyone else using this: Do you experience any issues?

Quad9 have replaced their root. You need the new cert.
https://www.reddit.com/r/Quad9/comments ... ices_must/

The validation chain changed. DigiCert switched roots, as the CA certificate fingerprints don't match. They're now using "DigiCert Global Root G3". Import DigiCertGlobalRootG3.crt.pem from https://www.digicert.com/kb/digicert-ro ... icates.htm and it will fix the issue.

Thank you for your help, it have resolved my issue.

Funny enough, if I download certificate as it is suggested directly at Quad9 website then issue is still there. If I download DigiCertGlobalRootG3.crt.pem direclty from https://www.digicert.com/kb/digicert-ro ... icates.htm as suggested by macropin, then all works like a charm. It is a bit strange that Quad9 guys have link to wrong certificate in their description.

Anyway, it works now. Thanks a lot.

Thank you for your help, it have resolved my issue.

Funny enough, if I download certificate as it is suggested directly at Quad9 website

Code: Select all

/tool/fetch mode=https url="https://cacerts.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-1.crt.pem"

then issue is still there. If I download DigiCertGlobalRootG3.crt.pem direclty from https://www.digicert.com/kb/digicert-ro ... icates.htm as suggested by macropin, then all works like a charm. It is a bit strange that Quad9 guys have link to wrong certificate in their description.

Anyway, it works now. Thanks a lot.

Thanks! On RouterOS 7.11.2, DigiCertGlobalRootG3.crt.pem works for me. DigiCertGlobalG3TLSECCSHA3842020CA1-1.crt.pem does not load: