Did Not Connect: Security Issue (YouTube!)

jremington · May 13, 2021, 3:08pm

Hi, Folks:

I recently started using pi-hole, and it worked fine for a few weeks. Suddenly, I'm having intermittent problems with Firefox or Microsoft Edge, connecting to certain sites, including youtube.

Typical error message:

Did Not Connect: Potential Security Issue

Firefox detected a potential security threat and did not continue to www.youtube.com because this website requires a secure connection.

What can you do about it?

www.youtube.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.

OR with Edge:

Your connection isn't private

Attackers might be trying to steal your information from youtu.be (for example, passwords, messages, or credit cards).

NET::ERR_CERT_AUTHORITY_INVALID

The problem is resolved by bypassing pi-hole as the DNS lookup, but I don't see how a DNS lookup could lead to such an error.

How can I debug this?

Firefox report for failed certificate: What has Cisco to do with youtube?

Certificate
Subject Name
Country US
State/Province California
Locality San Francisco
Organization OpenDNS, Inc.
Common Name www.youtube.com
Issuer Name
Organization Cisco
Common Name Cisco Umbrella Secondary SubCA sea-SG
Validity
Not Before Tue, 11 May 2021 11:58:06 GMT
Not After Sun, 16 May 2021 11:58:06 GMT
Subject Alt Names
DNS Name www.youtube.com
Public Key Info
Algorithm RSA
Key Size 2048
Exponent 65537
Modulus BD:C7:34:77:DE:22:4B:0E:B3:CF:DB:A3:2F:B5:41:CC:BD:00:66:F7:A2:77:03:CA…
Miscellaneous
Serial Number 60:9D:14:A6
Signature Algorithm SHA-256 with RSA Encryption
Version 3
Download PEM (cert) PEM (chain)
Fingerprints
SHA-256 36:1C:C0:F9:AB:2F:6E:58:81:BB:9B:AD:10:A4:B9:67:E3:37:9C:C7:4E:D0:41:AD…
SHA-1 FD:97:F6:0E:F3:5B:60:01:61:50:68:BA:04:79:DC:99:67:2F:75:2F

Bucking_Horn · May 13, 2021, 6:22pm

This is not a Pi-hole issue.

That message indicates a problem with the certificate.
When that is shown, your browser client has long finished resolving the domain.

My guess would be that you've configured OpenDNS as one of Pi-hole's upstreams, and that OpenDNS is configured to block Youtube, hence the certificate authority mismatch, and thus the error.

jremington · May 13, 2021, 6:44pm

Thanks very much, but pi-hole is used as downloaded, and I have not configured it to use OpenDNS. How could I remove such a configuration?

This is being used with a (also new) Starlink router and dish, which is not user-configurable.

jfb · May 13, 2021, 6:47pm

Please upload a debug log and post just the token that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

Bucking_Horn · May 13, 2021, 6:50pm

Your browser's error log clearly shows OpenDNS to be involved.

Pi-hole's installation doesn't invent DNS servers, it actively prompts for your choice of DNS servers.

If you didn't pick OpenDNS, your router may use it.

Some routers redirect DNS requests to a DNS server of their choice.

jremington · May 13, 2021, 6:51pm

I did some exploring and you are correct. OpenDNS was configured. I must have chosen that option during installation, and then forgotten that step. Odd that the issue became apparent only yesterday, and/or is intermittent.

After changing the server to Cloudflare, the problem went away.

Thanks all!