Netgate SG-1000 microFirewall

Author Topic: DNSBL Certificate Error: INVALID CA  (Read 83 times)

0 Members and 1 Guest are viewing this topic.

Offline rsaanon

  • Jr. Member
  • **
  • Posts: 29
  • Karma: +0/-0
    • View Profile
DNSBL Certificate Error: INVALID CA
« on: April 16, 2018, 08:21:57 am »
ENV: pfSense v2.4.3, pfBlockerNG v2.1.2_2

Please see attached screenshots..

Background:  When accessing sites blocked by DNSBL, I get an SSL error: CERTIFICATE AUTHORITY  INVALID error on the latest Chrome as well as Firefox browsers.  As suggested by other related post on the forum, I have edited the pfBlockerNT.inc line#3630 so the pfBlockerNG/DNSBL does *not* use the DNSBL VIP; the modified line looks like:
Code: [Select]
$domain_data .= "local-data: \"" . $line . " 60 IN A 0.0.0.0\"\n";  Also, I had force updated DNSBL.  After making all the changes and restarting service, I still continue  to get the SSL CERTIFICATE AUTHORITY  INVALID ERRORS.

 To @BBcan177: 
I use internal self-signed CA to generates user & server certificates for openVPN purposes.
Should DNSBL be using the internal/self-signed CA Authority for creating certificates in order to avoid SSL Cert errors?  I would  assume that in most scenarios, the internal CA created under pfSense is setup as Trusted CA by the client machines (as it is in my home network).  Having this configuration setup, would eliminate the errors mentioned.

Offline rsaanon

  • Jr. Member
  • **
  • Posts: 29
  • Karma: +0/-0
    • View Profile
Re: DNSBL Certificate Error: INVALID CA
« Reply #1 on: April 16, 2018, 08:28:53 am »
BTW, after making changes to pfBlockerNG.inc:

Quote
# head -10 pfb_dnsbl.conf
local-data: "004b17a0c349157de.com 60 IN A 0.0.0.0"
local-data: "006a039c957c142bb.com 60 IN A 0.0.0.0"
local-data: "007-gateway.com 60 IN A 0.0.0.0"
local-data: "0073dd485d46d930dd9.com 60 IN A 0.0.0.0"
local-data: "00aaa2d81c1d174.com 60 IN A 0.0.0.0"
local-data: "00e20f955428d.com 60 IN A 0.0.0.0"
local-data: "00zasdf.pw 60 IN A 0.0.0.0"
local-data: "012469af389a1d1246d.com 60 IN A 0.0.0.0"
local-data: "0194c6fcbb3.com 60 IN A 0.0.0.0"
local-data: "019f2d2d415.review 60 IN A 0.0.0.0"