This is a field note from debugging RouterOS DoH breakage, written on a three hours of sleep + annoyed. Probably mistakes were made.

DoH was working for a long time but suddenly stopped working today. Maybe I had manually set up certs before, I can’t remember, but here’s the general idea of how I fixed it this time.

1. /system/logging/add topics=dns action=echo to enable DNS logging. (Try some incantation of /system/logging/disable when you’re done!)
2. Try :put [:resolve wikipedia.org] (be sure to flush cache first /ip dns cache flush)
3. Inspect error. If it’s something about dns,error DoH server connection error: SSL: ssl: no trusted CA certificate found (6) here’s how I fixed it
4. Visit the DoH provider (e.g. 1.1.1.1) via openssl s_client -connect 1.1.1.1:443 or visit in browser, click on clock, connection secure, more information, view certificate. click on rightmost tab (this is the root cert in the certificate chain).
5. Find the SHA1 for the root certificate which is used to identify it in CA repositories.
6. Visit the Certificate authority’s certificate repository e.g. https://www.ssl.com/repository/
7. C-f search that SHA1. Download the PEM.
8. sftp that crap over to your RouterOS device
9. /certificate/import file-name=/(tab-complete the file here)
10. Try again

---

Sorry it’s kind of painful. I’m pretty mad about spending 45 minutes figuring it out because ENTROPY GOT MY GOAT. (I also thought to upgrade ROS which didn’t change anything, just forced me to read a boatload of RouterOS changelogs first & make proper backups.)

That is all.

---

Relatedly: ChatGPT guessed that I wanted LetEncrypt’s Root Cert, then DigiCert, then I just told it, hey, stop guessing and figured it out myself. ChatGPT did get me most of the way there, it was just a bit too eager to help. But thanks anyways, cheeky bot.

---