I can't reproduce this issue. Certificate for that website is OK.

See also https://www.sslshopper.com/ssl-checker.html#hostname=download.mozilla.org

I have see another thread on this a while ago and it may have been due to the OP using a proxy or VPN.

I'm not using a VPN or proxy.

I have DNS over HTTPS disabled, and my router has port 853(DNS-TLS) blocked to prevent devices from circumventing my Pihole+unbound setup. However this hasn't affected me when going to any other site(that isn't on the blocklist).

So if someone can confirm that download.mozilla.org requires DNS over TLS, then that would be the problem.

Of course it doesn't need it. But blindly enabling HTTPS for your Pi-hole Web Interface via Let's Encrypt or a Self-Signed certificate causes issues such as:

• Browsing slowdowns on any site visited, as blocked content needed to time out (or load infinitely)
• Web Browser errors, such as mismatched certificates
• Operating system popups on macOS/iOS devices on every site containing blocked content

Of course it doesn't need it. But blindly enabling HTTPS for your Pi-hole Web Interface via Let's Encrypt or a Self-Signed certificate causes issues such as:

• Browsing slowdowns on any site visited, as blocked content needed to time out (or load infinitely)
• Web Browser errors, such as mismatched certificates
• Operating system popups on macOS/iOS devices on every site containing blocked content

You'll have to explain how having a registered domain, and hosting SWAG causes mismatched certificates due to DNS lookups.

As I tell people, I'm not a dev or programmer, I just use stuff I find on github. As far as I'm aware DNS lookups and certificates don't cross paths, maybe dnssec does but I honestly don't know. But again, I'm not using a VPN or a proxy, PiHole is just handing out dns information that it gets from Unbound which it gets from authoritative sources. Years ago I got tired of telling my web browser that my services I host on my network are not malicious so I learned how to use SWAG/Lets Encrypt for my locally hosted sites. If that interferes with the broader internet in any way, this is the first I'm hearing of it.

Back to the problem I posted about, this certificate pinning issue only effects my two windows machines. My daily driver running Ubuntu LTS is able to update every time without issues.

I don't use this device, I've just googled some tutorials that mention it. See https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771

TLDR my rpi's running Pi-hole do not have the certificate, a different machine does and serves the Pi-hole web interfaces.

That's for if your using Let's Encrypt to create a cert specifically for Pi-hole. I am running the linuxserver.io SWAG docker container that creates a wildcard certificate for my domain. It's been a minute so I forget the exact setup but certbot is creating a certificate for my domain, then SWAG has the Pi-hole interface as a sub-domain. Both rpi's running Pi-hole are separate physical machines than the hardware running SWAG, and only the machine running SWAG/nginx has the certificate.

As an add, this only seems to effect firefox updates or downloads. I can download windows updates, nvidia updates, or any other file/download/executable without issue. The problem only occurs when it comes to firefox updates or downloads, and even then other browsers don't have this issue. I have verified that chrome, edge, and safari do not have this problem. Ubuntu snaps, debian packages, iOS apps, and even the microsoft windows store app does not have this problem. It only occurs when I'm using the x64, windows 11, executable to update the firefox program or download the installer.

And I've recreated the issue on 2 different windows machines, verified the ubuntu versions on 2 different machines, and have verified that I can access the download from 2 different apple devices.

Hi kryptonitecb3, thanks for your very thorough investigation. I'm not a certificate expert but I have a feeling you're running into a fake/spoofed certificate from Mozilla. I'm not sure if it's using MITM techniques to stop you from reaching the real Mozilla certificates. Or if even somehow Mozilla's certificate was compromised.

I reached out to a Mozilla certificate expert who hopefully can shed more light on what's going here.

This finding from your other post troubles me the most: And now when I try to use Google to download the installer in order to bypass the issue I get a warning stating that: "download.mozilla.org" is using security keys from "pdf.com.co".

I know Google has surfaced malicious links to Firefox updates in the past. About 10 years ago they were notorious for doing it thru their Sponsored links/ads. Which were paid search result listings appearing above all search results, pointing to Firefox updates & installers not hosted at mozilla.org.

Hi kryptonitecb3, thanks for your very thorough investigation. I'm not a certificate expert but I have a feeling you're running into a fake/spoofed certificate from Mozilla. I'm not sure if it's using MITM techniques to stop you from reaching the real Mozilla certificates. Or if even somehow Mozilla's certificate was compromised. I reached out to a Mozilla certificate expert who hopefully can shed more light on what's going here. This finding from your other post troubles me the most: And now when I try to use Google to download the installer in order to bypass the issue I get a warning stating that: "download.mozilla.org" is using security keys from "pdf.com.co". I know Google has surfaced malicious links to Firefox updates in the past. About 10 years ago they were notorious for doing it thru their Sponsored links/ads. Which were paid search result listings appearing above all search results, pointing to Firefox updates & installers not hosted at mozilla.org.

Thank you for reaching out to the cert SME.

As mentioned above, I have Pi-hole and DNS redirection setup which causes "sponsored" search results to be unreachable. In fact it causes some issues when people connect to my network and try to "google" something. I have to train them to ignore the top results because it'll just give them a blank screen.

This seems like a DNS issue. Do you still see the error if you use e.g. your ISP's DNS? Or Google or Cloudflare's? Also, it's unclear if this is happening in just Firefox or Chrome as well? (you have a screenshot showing the error in Chrome)

This only happens when I try to access download.mozilla.org from a windows pc. The Ubuntu version works without issue, and I can access the page from any browser in Ubuntu without problem. Also the snap updates every time without complaints. It's only when I try from my windows PC.

Attached is a screenshot from the Firefox snap on my Ubuntu PC.

And of course when I fired up my windows PC I was able to access the download page without any issues...so problem resolved, I guess?