DNSBL Certificate Error: INVALID CA



  • ENV: pfSense v2.4.3, pfBlockerNG v2.1.2_2

    Please see attached screenshots..

    Background:  When accessing sites blocked by DNSBL, I get an SSL error: CERTIFICATE AUTHORITY  INVALID error on the latest Chrome as well as Firefox browsers.  As suggested by other related post on the forum, I have edited the pfBlockerNT.inc line#3630 so the pfBlockerNG/DNSBL does not use the DNSBL VIP; the modified line looks like:```
    $domain_data .= "local-data: "" . $line . " 60 IN A 0.0.0.0"\n";

    
    To @BBcan177: 
    I use internal self-signed CA to generates user & server certificates for openVPN purposes.
    Should DNSBL be using the internal/self-signed CA Authority for creating certificates in order to avoid SSL Cert errors?  I would  assume that in most scenarios, the internal CA created under pfSense is setup as Trusted CA by the client machines (as it is in my home network).  Having this configuration setup, would eliminate the errors mentioned.
    ![DNSBL_Cert.PNG](/public/_imported_attachments_/1/DNSBL_Cert.PNG)
    ![DNSBL_Cert.PNG_thumb](/public/_imported_attachments_/1/DNSBL_Cert.PNG_thumb)
    ![DNSBL_Chrome_CA_INVALID.PNG](/public/_imported_attachments_/1/DNSBL_Chrome_CA_INVALID.PNG)
    ![DNSBL_Chrome_CA_INVALID.PNG_thumb](/public/_imported_attachments_/1/DNSBL_Chrome_CA_INVALID.PNG_thumb)


  • BTW, after making changes to pfBlockerNG.inc:

    head -10 pfb_dnsbl.conf

    local-data: "004b17a0c349157de.com 60 IN A 0.0.0.0"
    local-data: "006a039c957c142bb.com 60 IN A 0.0.0.0"
    local-data: "007-gateway.com 60 IN A 0.0.0.0"
    local-data: "0073dd485d46d930dd9.com 60 IN A 0.0.0.0"
    local-data: "00aaa2d81c1d174.com 60 IN A 0.0.0.0"
    local-data: "00e20f955428d.com 60 IN A 0.0.0.0"
    local-data: "00zasdf.pw 60 IN A 0.0.0.0"
    local-data: "012469af389a1d1246d.com 60 IN A 0.0.0.0"
    local-data: "0194c6fcbb3.com 60 IN A 0.0.0.0"
    local-data: "019f2d2d415.review 60 IN A 0.0.0.0"


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy