Browser warnings for invalid domain certificates

After a new OpenWRT flash on my router my device browser is suddenly warning about certificate errors (SSL_ERROR_BAD_CERT_DOMAIN). It is far from every site though but all of a sudden I'm getting these browser warnings on several websites, which didn't happen before flashing to OpenWRT.

It seems to be related to the domain names. Screenshot:

image

Does anyone know what could be causing this?

Most probably unrelated to OpenWrt. Sounds like a MITM issue - frequently triggered by bogus anti virus products.

2 Likes

I don't use antivirus products and the issues began after switching to a newly flashed router with OpenWRT, so I suspect it is related. I'm fairly security conscious and I doubt it's a MITM, I'm pretty sure it's caused by something in the configuration.

Not sure if incorrect time settings can cause BAD_CERT_DOMAIN errors but both my laptop device and the OpenWRT router are configured to the correct time. The certificates haven't expired, either.

Official OpenWrt images do not affect/interfere the SSL traffic/certificate handling.

Doublecheck if you receive these errors from another connected mobile device as well ... and please provide more information: Where did you download/flashed which image? Any special plugins activated? Which URL did you use for testing?

1 Like

The image I flashed was this one. (Firmware downloads really should be available with https btw!)

I tried it on my phone, and it produced the same error. HOWEVER, I also disconnected from the OpenWRT router and used my mobile connection and it produces the same error when bypassing my home connection. So this indicates there's something wrong on their end, and because I've been receiving the error on different websites it may be related to the certificate authority (Digicert, in this case) ?

Edit: also tried it on a Wireguard VPN connection and it also produces the error. So I've essentially tried it on 3 different connections and 2 different devices, 3 different browsers.

Just use https i/o http and you're done.

3 Likes

That's good but even better if the links be changed to https instead. Perhaps it points to http for a reason though?

It'd be great if someone else also could give it a try and see if they get a cert error, and report back pls.

Just see if it gets an error, no need to download it, of course:
https://download.virtualbox.org/virtualbox/6.0.6/VirtualBox-6.0.6-130049-OSX.dmg

It does, because ssl enabled "wget" (ustream) implementations aren't part of the default preinstalled package set (for size reasons and other side effects, such as certificate complaints for self-signed 'invalid' access to the router's webinterface).

4 Likes

I receive a certificate error as well - unrelated to OpenWrt. Oracle seems to re-organize their download area, use https://www.oracle.com/technetwork/server-storage/virtualbox/downloads/index.html to download virtualbox.

3 Likes

Thank you for your help in diagnosing this issue.

Not to wake the dead but after installing OpenWrt 23.05. I to am experiencing numerous SSL_ERROR_BAD_CERT_DOMAIN errors.

What is causing this?

I'm thinking this has something to do with DNS but looking for some insight before I go mucking around.

I want to avoid using Comcast DNS and prefer an alternative.

Antivirus not active.

ISP: Comcast
Browser: FireFox 115.5.0esr
Router: Linksys WRT1900ac running OpenWrt 23.05.0
Source: https://firmware-selector.openwrt.org/?version=23.05.0&target=mvebu%2Fcortexa9&id=linksys_wrt1900ac-v1

Seems like clicking Google search result links can cause this.

For example did a search for speed test and clicked the link for Speak Easy Speed Test.

The error message tells you the problem. Your ISP (Comcast) is intercepting your request for speakeasy.net and sending you to one of their websites instead. Most likely their DNS server is returning a Comcast IP instead of the Speak Easy IP, as you've guessed.

You can configure OpenWrt to use non-ISP DNS servers like Cloudflare's 1.1.1.1 DNS and see if this solves it. In the LuCI menu go to Network→Interfaces then for each of the two WAN interfaces:

  1. Click "Edit" then go to the "Advanced Settings" tab.
  2. Uncheck "Use DNS servers advertised by peer".
  3. Add desired DNS IP addresses in the "Use custom DNS servers" section. Be sure to use IPv4 addresses for WAN and IPv6 addresses for WAN6.
  4. Click "Save"

Click "Save & Apply" to apply the new DNS settings.

2 Likes

Clicking on view certificate and have a look your self at the content of the cert does reveal far more useful information.

1 Like

Ah... I thought I had done that but I might have done just the LAN section and not the WAN.

I'm in the habit of setting up OpenWrt as an "dumb" access point.

What if anything should I put in DNS Search Domain?

Setting this up for a friend, will make the changes in a day or two. Will provide update then.

Nothing, leave that blank. DNS search domains are only relevant on LAN.

What search domains do is it allows hosts on your LAN to navigate to unqualified domain names like http://OpenWrt (note the lack of the .lan top-level domain). This is because OpenWrt sets .lan as the search domain when hosts obtain a DHCP lease from your router. Then when you navigate to http://OpenWrt in your browser, your system's resolver appends ".lan" to the domain and resolves OpenWrt.lan instead.

That seems to be what the issue was. Had setup custom DNS for LAN but not the WAN.

Thanks.