Certificate error - DNSBL certificate
-
I may not describe this accurately, but I will try. And I hope that someone can direct or educate me.
I am on the latest version of pfsense and pfblockerNG. I have used DNSBL since it was available.
In the last several weeks, we have been getting an inordinate number of popups from Kasperky stating "cannot guarantee authenticity of the domain to which encrypted connection is established". If I turn off this function in Kaspersky, we then start getting certificate errors from the web browser.
This morning, I finally had some time to investigate. (I wish I had sooner as the issue appears to be fairly simple).
The URL that is displayed in the popup is associated with whatever the adserver is that is being blocked (this mislead me a bit).
When I view certificate, it is the certificate from CN_DNSBL (it appears that from the heading
How can I find or export this certificate so that I can add it to the trusted certificates on all of our devices?
Or is there a different or better solution?
Thanks,
Kevin -
You absolutely should disable the MITM crap in Kaspersky for security reasons. (The cert is self-signed, is not supposed to be trusted, and that's basically it. Future version will have 0.0.0.0 and no 1x1px webserver as an option.)
-
When I disable the functionality in Kaspersky, which I will leave off based on your comment, I then get continued security alert popups from the web browser. It is the same certificate issue with CN_DSBL
-
No idea what browser you are using. If you get those popups all the time, then either your DNSBL feeds selection is insane, or your browser broken. Either way, as noted above, live with it, or disable and wait for the next version which will have the option to NOT use this redirect.
-
No idea what browser you are using. If you get those popups all the time, then either your DNSBL feeds selection is insane, or your browser broken. Either way, as noted above, live with it, or disable and wait for the next version which will have the option to NOT use this redirect.
The popups occur in Firefox 64bit (current version), Edge (current version), and IE11 (current version).
There must be a way to download and install the CN_DNSBL certificate from pfblocker and install it as a trusted site - that would resolve the problem (it appears to be the same certificate every time).
-
The certificate is self-signed crap regenerated on every reinstall. Pointless. Really. Just move on. You should diagnose what is making your browsers hit the DNSBL IP over and over again instead.
-
See here:
https://forum.pfsense.org/index.php?topic=124945.0
