After a new OpenWRT flash on my router my device browser is suddenly warning about certificate errors (SSL_ERROR_BAD_CERT_DOMAIN). It is far from every site though but all of a sudden I'm getting these browser warnings on several websites, which didn't happen before flashing to OpenWRT.
It seems to be related to the domain names. Screenshot:
I don't use antivirus products and the issues began after switching to a newly flashed router with OpenWRT, so I suspect it is related. I'm fairly security conscious and I doubt it's a MITM, I'm pretty sure it's caused by something in the configuration.
Not sure if incorrect time settings can cause BAD_CERT_DOMAIN errors but both my laptop device and the OpenWRT router are configured to the correct time. The certificates haven't expired, either.
Official OpenWrt images do not affect/interfere the SSL traffic/certificate handling.
Doublecheck if you receive these errors from another connected mobile device as well ... and please provide more information: Where did you download/flashed which image? Any special plugins activated? Which URL did you use for testing?
The image I flashed was this one. (Firmware downloads really should be available with https btw!)
I tried it on my phone, and it produced the same error. HOWEVER, I also disconnected from the OpenWRT router and used my mobile connection and it produces the same error when bypassing my home connection. So this indicates there's something wrong on their end, and because I've been receiving the error on different websites it may be related to the certificate authority (Digicert, in this case) ?
Edit: also tried it on a Wireguard VPN connection and it also produces the error. So I've essentially tried it on 3 different connections and 2 different devices, 3 different browsers.
It does, because ssl enabled "wget" (ustream) implementations aren't part of the default preinstalled package set (for size reasons and other side effects, such as certificate complaints for self-signed 'invalid' access to the router's webinterface).
The error message tells you the problem. Your ISP (Comcast) is intercepting your request for speakeasy.net and sending you to one of their websites instead. Most likely their DNS server is returning a Comcast IP instead of the Speak Easy IP, as you've guessed.
You can configure OpenWrt to use non-ISP DNS servers like Cloudflare's 1.1.1.1 DNS and see if this solves it. In the LuCI menu go to Network→Interfaces then for each of the two WAN interfaces:
Click "Edit" then go to the "Advanced Settings" tab.
Uncheck "Use DNS servers advertised by peer".
Add desired DNS IP addresses in the "Use custom DNS servers" section. Be sure to use IPv4 addresses for WAN and IPv6 addresses for WAN6.
Click "Save"
Click "Save & Apply" to apply the new DNS settings.
Nothing, leave that blank. DNS search domains are only relevant on LAN.
What search domains do is it allows hosts on your LAN to navigate to unqualified domain names like http://OpenWrt (note the lack of the .lan top-level domain). This is because OpenWrt sets .lan as the search domain when hosts obtain a DHCP lease from your router. Then when you navigate to http://OpenWrt in your browser, your system's resolver appends ".lan" to the domain and resolves OpenWrt.lan instead.