DNSBL - Certificate error when acccessing github.com



  • I think this started with the 2.4.1 upgrade.

    github.com is being blocked by one of the blocklists.  So I whitelisted the domain github.com by clicking on the plus sign to add the entry to the Custom Domain Whitelist in DNSBL. I bounced Unbound and cleared Firefox browser cache.

    I now get this error when trying to access github.com.

    An error occurred during a connection to github.com. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. Error code: SEC_ERROR_REUSED_ISSUER_AND_SERIAL
    
        The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
        Please contact the website owners to inform them of this problem.
    

    If I disable DNSBL, I can access github.com with no issues.


  • Moderator

    What does this command report:

    host -t A github.com
    

    You can also check if there are any subdomain being blocked.

    grep "github.com" /var/unbound/pfb_dnsbl.conf
    
    

    If there are other subdomains listed, you can prepend a "." to the domain in the whitelist and follow that with a Force Reload DNSBL.



  • github.com is working again!  ???

    I did not do anything since I posted.  Perhaps the firewall needed more time to process the whitelist entry?  I saw another post of a similar issue someone reported after the 2.4.1 update with no resolution. So, I thought there was something else going on.  I will monitor to make sure it sticks.

    Here is the reply I was getting on my Windows laptop when it was not working:

    ping github.com
    
    Pinging github.com [10.10.10.1] with 32 bytes of data:
    Reply from 10.10.10.1: bytes=32 time=59ms TTL=64
    Reply from 10.10.10.1: bytes=32 time=1ms TTL=64
    Reply from 10.10.10.1: bytes=32 time=1ms TTL=64
    Reply from 10.10.10.1: bytes=32 time=1ms TTL=64
    
    Ping statistics for 10.10.10.1:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 1ms, Maximum = 59ms, Average = 15ms
    

    I now get a valid ping.

    ping github.com
    
    Pinging github.com [192.30.255.112] with 32 bytes of data:
    Reply from 192.30.255.112: bytes=32 time=678ms TTL=53
    Reply from 192.30.255.112: bytes=32 time=289ms TTL=53
    Reply from 192.30.255.112: bytes=32 time=326ms TTL=53
    Reply from 192.30.255.112: bytes=32 time=264ms TTL=53
    
    Ping statistics for 192.30.255.112:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 264ms, Maximum = 678ms, Average = 389ms
    
    
    [2.4.1-RELEASE][admin@pfSense.mydomain.com]/root: grep "github.com" /var/unbound/pfb_dnsbl.conf
    [2.4.1-RELEASE][admin@pfSense.mydomain.com]/root: host -t A github.com
    github.com has address 192.30.255.112
    github.com has address 192.30.255.113
    
    

  • Moderator

    Probably the windows machine had the 10.10.10.1 in its DNS cache…

    Try```
    ipconfig /flushdns

    
    In Chrome:  chrome://net-internals/#dns


  • @BBcan177:

    What does this command report:

    host -t A github.com
    

    You can also check if there are any subdomain being blocked.

    grep "github.com" /var/unbound/pfb_dnsbl.conf
    
    

    If there are other subdomains listed, you can prepend a "." to the domain in the whitelist and follow that with a Force Reload DNSBL.

    I got the same problem. This fixed the problem with github.
    Thanks!


Log in to reply