The latest articles on Forem by Fajrian (@ajinfajrian). https://forem.com/ajinfajrian https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F885346%2Fce39abdb-adf6-42c0-b9a8-eef8ec9a5de3.png https://forem.com/ajinfajrian en Fajrian Thu, 22 May 2025 20:22:26 +0000 https://forem.com/ajinfajrian/error-mikrotik-dns-over-https-after-upgrading-to-719-4nal https://forem.com/ajinfajrian/error-mikrotik-dns-over-https-after-upgrading-to-719-4nal <p>Hey fellow network admins! 👋</p> <p>So I've got this habit of keeping my MikroTik router updated to the latest firmware version. Usually, it's smooth sailing - upgrade, reboot, everything works perfectly. But recently, I hit a weird snag that had me scratching my head for a while.</p> <h2> The Problem Strikes </h2> <p>I just upgraded my MikroTik from version 7.18.2 to 7.19, expecting the usual seamless experience. Instead, my users suddenly couldn't browse the internet. Not exactly what you want to hear on a Monday morning! 😅</p> <p>Time to fire up WinBox and see what's going on.</p> <h2> The Hunt Begins </h2> <p>After connecting to my router, I started digging through the logs and found this lovely error message repeating over and over:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fszni95q8klwzsbhmh9gt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fszni95q8klwzsbhmh9gt.png" alt="Mikrotik Log" width="771" height="985"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>DoH server connection error: SSL: ssl: no trusted CA certificate found <span class="o">(</span>6<span class="o">)</span> </code></pre> </div> <p>Well, that's not good. DNS over HTTPS was basically throwing a tantrum about SSL certificates.</p> <p>To make things even more interesting, when I tried to ping from the MikroTik terminal, I got this confusing output:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F38e1mhfelc0g6c70qygd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F38e1mhfelc0g6c70qygd.png" alt="Ping error" width="569" height="77"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ping youtube.com invalid value <span class="k">for </span>argument address: invalid value of mac-address, mac address required invalid value <span class="k">for </span>argument ipv6-address </code></pre> </div> <p>Yeah, that's definitely not normal ping behavior.</p> <h2> Quick Fixes (That I Didn't Want to Use) </h2> <p>I found two quick workarounds:</p> <ol> <li> <strong>Switch to local DNS</strong>: Disabled DoH and used my ISP's DNS servers</li> <li> <strong>Disable certificate verification</strong>: Turn off DoH certificate verification</li> </ol> <p>Both worked perfectly - no more errors, internet browsing was back to normal. But here's the thing: I wasn't comfortable with either solution. Using ISP DNS feels like giving up privacy, and disabling certificate verification? That's just asking for security troubles down the road.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F078rx6z0dtw2aonmeof0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F078rx6z0dtw2aonmeof0.png" alt="Disable doh verify" width="692" height="384"></a></p> <h2> The Real Solution: Certificate Management </h2> <p>My gut told me this was a certificate issue (thanks to that "no trusted CA certificate found" message). So I decided to tackle the root cause.</p> <h3> First Attempt: Import Standard Root CAs </h3> <p>I tried importing the standard certificate bundle from curl:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/tool fetch <span class="nv">url</span><span class="o">=</span>https://curl.se/ca/cacert.pem /certificate import file-name<span class="o">=</span>cacert.pem </code></pre> </div> <p>Nope. Still getting the same SSL errors. Time for a more drastic approach.</p> <h3> Nuclear Option: Fresh Start with Google's Root CAs </h3> <p>⚠️ <strong>Warning</strong>: This next command will delete ALL certificates on your MikroTik. Make sure you know what you're doing!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/certificate remove <span class="o">[</span>find] </code></pre> </div> <p>Yep, I nuked all the certificates. Sometimes you just need a clean slate.</p> <p>Then I imported Google's root certificate bundle:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/tool fetch <span class="nv">url</span><span class="o">=</span><span class="s2">"https://pki.goog/roots.pem"</span> dst-path<span class="o">=</span><span class="s2">"roots-goog.pem"</span> /certificate import file-name<span class="o">=</span><span class="s2">"roots-goog.pem"</span> </code></pre> </div> <p>And just like that... 🎉 <strong>IT WORKED!</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqib14kpjvd1lq91tlvtw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqib14kpjvd1lq91tlvtw.png" alt="Everything is work normally" width="800" height="457"></a></p> <p>Ping was back to normal, DoH was functioning properly, and my users could browse the internet again without any SSL certificate errors.</p> <h2> What Actually Happened? </h2> <p>Looking back, it seems like the upgrade to RouterOS 7.19 either corrupted or invalidated the existing certificate store. The built-in certificates that were working fine in 7.18.2 somehow became problematic in the new version.</p> <p>By clearing out the old certificates and importing fresh root CAs from Google, I essentially gave the router a clean, trusted certificate foundation to work with.</p> <h2> Key Takeaways </h2> <ol> <li> <strong>Certificate issues can be sneaky</strong> - They might not show up immediately after an upgrade</li> <li> <strong>Don't settle for insecure workarounds</strong> - Taking the time to fix the root cause is worth it</li> <li> <strong>Sometimes a nuclear approach is the fastest solution</strong> - Starting fresh with certificates can save hours of troubleshooting</li> <li> <strong>Keep backups</strong> - Always export your working certificate store before major upgrades (lesson learned!)</li> </ol> <h2> Pro Tips for Next Time </h2> <ul> <li>Export your certificate store before upgrading: <code>/certificate export-certificate</code> </li> <li>Test DoH functionality immediately after firmware upgrades</li> <li>Keep a trusted root CA bundle handy for situations like this</li> <li>Document your certificate sources for easier troubleshooting</li> </ul> <p>Have you run into similar certificate issues with MikroTik upgrades? Drop a comment below - I'd love to hear about your experiences and solutions!</p> mikrotik networking dns troubleshooting