Can not check my email, outlook.live.com Cert Error

shahzy_

I installed 2.4.5 release pfsense on my negate device last week. I installed 2.1.4_22 release of pfBlockerNG. I am using pfBlockerNG DNSBL feature only. Everything works as expected. Traffic gets routed, DNS resolver works and Ad's get blocked.

The real pain started when I tried to login to outlook to check my emails. Every time I go to outlook.live.com, I see certificate error as shown below;

Issued to: CN_DNSBL
Issued By: CN_DNSBL
This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store.

Any idea, what's wrong?

RonpfS

Check the Reports/Alerts tab and whitelist the domain.

shahzy_

@RonpfS
This domain is already in white list;
https://outlook.live.com/

RonpfS

The syntax may be wrong. Again check the Alerts tab when you try to reach the site.

shahzy_

@RonpfS
I didn't get what do you mean by syntax is not right?
Here is the error that i got from DNSBL log;
DNSBL Reject HTTPS,Apr 16 11:38:57,outlook.live.com

RonpfS

@shahzy_ said in Can not check my email, outlook.live.com Cert Error:

I didn't get what do you mean by syntax is not right?

If you put https://outlook.live.com/ in the Custom Whitelist, it's wont work. It has to be outlook.live.com, or .outlook.live.com click on the .

shahzy_

@RonpfS
I did put your suggested url in custom whitelist but problem persists. DNSBL Log error;
DNSBL Reject HTTPS,Apr 16 14:20:31,outlook.live.com
DNSBL Reject HTTPS,Apr 16 14:20:31,outlook.live.com

Browser shows certificate error, CN_DNSBL.

Any other idea?

RonpfS

Why don't you use the Alerts tab to do your whitelisting ?

shahzy_

@RonpfS
I don't see these log entries in Alert tab. I can see them only in DNSBL Log.

jdeloach

@shahzy_ said in Can not check my email, outlook.live.com Cert Error:

@RonpfS
I did put your suggested url in custom whitelist but problem persists. DNSBL Log error;
DNSBL Reject HTTPS,Apr 16 14:20:31,outlook.live.com
DNSBL Reject HTTPS,Apr 16 14:20:31,outlook.live.com

Browser shows certificate error, CN_DNSBL.

Any other idea?

I would suggest giving this article a read as it explains alot about how to configure DNSBL in pfBlockerNG: https://linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/

RonpfS

@shahzy_ Did you inspect pfblockerng.log, do you see any outlook.live.com in there ?
Did you run a Force Reload DNSBL ?

shahzy_

@RonpfS
This is how it is fixed;

1. I added outlook.live.com in custom white list
2. I did a force update.
3. I restarted dnsbl service.

The pain go away. I can open outlook and check my email.

out of curiosity, I tried to reproduce this problem by;

1. I removed outlook.live.com from custom white list.
2. I did a force update
3. I restarted dnsbl service.

I did not get my original issue. I can open outlook.

I don't know what exactly is going on but your help, helped me to fix this. Thanks.

NollipfSense

@shahzy_ That's because you had added to the whitelist.

shahzy_

@NollipfSense
Though my issue is fixed but curiosity never stops;

pfblockerng log file after adding outlook.live.com

[ uBlockFiltersPlus ] Reload [ 04/16/20 14:34:07 ] . completed ..

Whitelist: outlook.live.com
I have removed package stat's for simplicity.

pfblockerng log file after removing outlook.live.com

Whitelist: localhost.localdomain

After removing outlook.live.com and force update, my localhost.localdomain get's white listed in this list. This could be reason of not reproducing the issue.

Is it ok to see localhost.localdomain white listed?
Hope i am not a trouble :)

shahzy_

@shahzy_
I found the reason why i was not able to reproduce the issue.

You don't need to restart pfsense for unblocking site.

You need to restart pfsense if you want to remove sites from custom white list.

This concludes my fix and testing. Thanks everyone for your help.

RonpfS

@shahzy_ said in Can not check my email, outlook.live.com Cert Error:

You need to restart pfsense if you want to remove sites from custom white list.

What !?!

Did you read the Note: These entries are only Whitelisted when Feeds are downloaded or on a 'Force Reload'.

Force Update is not the same as Force Reload DNSBL

shahzy_

@RonpfS
I just did a test. You need to "Force Reload" and "Force Reload DNSBL" in case If you remove an entity from custom white list. The entity behavior will change to blocking. You don't need to restart pfsense.

Thanks for clarification.