Jump to content

Cisco Umbrella Secondary SubCA fra-AG is unsecure SSL Cert

Recommended Posts

Hi, Why All certs from Cisco Umbrella Secondary SubCA fra-AG are unsecure and during browsing websites I had prompt about unsecure cert SSL?
In My Network I using OpenDNS DNS. 


Link to post
Share on other sites

Appears there is an issue with the certificate that OpenDNS is using.

Post a screen shot of the Eset alert with the certificate data shown. My guess is the certificate expired.

Edited by itman
Link to post
Share on other sites
4 hours ago, itman said:

My guess is the certificate expired




ESET Internet Security Lastest Stable (11.154.0)
Adguard For Windows 6.3.1276.3827
Chrome Stable
OpenDNS IPv4 DNS used in Network.
Windows 10 Pro 1803 (17134.137)

Some blocked by Adguard domains signed by opendns cert (valid) are blocked by ESET.
This issue happened only with OpenDNS provider. Should I feedback to Cisco with it?



Edited by FadeMind
Link to post
Share on other sites

I see a number of issues here.

First, Adguard has a SSL protocol scanning feature. Next, it appears OpenDNS is performing like activities in that it is intercepting HTTPS web traffic with Its corresponding root CA certificate. Finally, there is Eset that has SSL protocol scanning enabled by default.

Below is an actual screen shot of the correct, non-intercepted, SSL certificate chain path for counter.hitslink.com per Quals SSL Server test web site:


Given the use of both OpenDNS and Adguard to perform HTTPS network traffic interception, I really can't see how Eset's SSL protocol scanning would function properly. If both use of OpenDNS and Adguard SSL protocol scanning is required, I would disable Eset's SSL protocol scanning.

Edited by itman
Link to post
Share on other sites

I did some research on this since I am sure this issue will arise again in regards to OpenDNS. Per a post I found on reddit.com:


Hey guys, OpenDNS doesn't "scan" HTTPS. The cert is just so that your browser will trust their self-signed cert for that domain that is being intercepted by their block page.

What is happening is the Cisco Umbra cert. OpenDNS is using is a self-signed root CA cert.. Eset's SSL protocol scanning detects use activity of the cert. as man-in-the-middle activity and blocks it.

Did you install the Cisco Umbra root CA cert. as described in this link? https://support.opendns.com/hc/en-us/articles/227987007


Link to post
Share on other sites

Hi, thanks you guys for great feedback. 
I installed cert for Cisco Umbrella CA, restart chrome and seems works fine. No more these warning from ESET. 



Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...