One.one.one.one fake certificate - EGYPT ISP (WE)

Help
1

Randomly I get a message from Kaspersky antivirus that can't trust one.one.one.one cloudflare's certificate

Subject Name
Common Name: one.one.one

Issuer Name

Country or Region: US

Organization: Google Trust Services
Common Name: WE1

Serial Number: 35 71 DB E5 94 97 16 C3 0E 40 7D 15 FC 99 93 5E

Version 3

but when I run

echo | openssl s_client -showcerts -connect one.one.one.one:853 2>/dev/null | openssl x509 -inform pem -noout -text

I get this result

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0f:c1:4a:6a:ba:8f:3e:34:35:8f:56:4f:b1:7c:52:20
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
        Validity
            Not Before: Jul 30 00:00:00 2024 GMT
            Not After : Jan 21 23:59:59 2025 GMT
        Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=cloudflare-dns.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:4c:aa:4c:b2:60:c2:5e:82:3e:63:35:d3:ac:00:
                    4f:70:6d:c7:2b:2f:cd:56:ab:76:6a:ac:04:ed:fd:
                    8d:d7:d3:ff:2e:15:36:c0:7a:9e:7e:cf:29:79:40:
                    85:4c:80:fe:24:36:90:6c:5c:86:95:23:61:5d:28:
                    62:81:60:48:f0
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                74:85:80:C0:66:C7:DF:37:DE:CF:BD:29:37:AA:03:1D:BE:ED:CD:17
            X509v3 Subject Key Identifier: 
                E2:C4:3B:E3:F1:1E:79:67:EE:51:BD:EE:AA:CF:F5:78:14:79:37:A0
            X509v3 Subject Alternative Name: 
                DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com, DNS:one.one.one.one, IP Address:1.0.0.1, IP Address:1.1.1.1, IP Address:162.159.36.1, IP Address:162.159.46.1, IP Address:2606:4700:4700:0:0:0:0:1001, IP Address:2606:4700:4700:0:0:0:0:1111, IP Address:2606:4700:4700:0:0:0:0:64, IP Address:2606:4700:4700:0:0:0:0:6400
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.2
                  CPS: http://www.digicert.com/CPS
            X509v3 Key Usage: critical
                Digital Signature, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
                Full Name:
                  URI:http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt
            X509v3 Basic Constraints: critical
                CA:FALSE
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 4E:75:A3:27:5C:9A:10:C3:38:5B:6C:D4:DF:3F:52:EB:
                                1D:F0:E0:8E:1B:8D:69:C0:B1:FA:64:B1:62:9A:39:DF
                    Timestamp : Jul 30 03:07:15.031 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:33:52:00:74:45:79:A9:49:8C:98:0C:D6:
                                17:72:32:42:40:BF:B5:3E:08:AA:2B:0E:6C:AC:36:2D:
                                5A:26:A9:8C:02:20:69:78:13:E3:93:AB:87:54:80:56:
                                7A:30:D4:B5:B6:7D:B2:C6:5B:C6:43:DE:B1:64:87:FE:
                                30:11:FC:23:CF:49
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 7D:59:1E:12:E1:78:2A:7B:1C:61:67:7C:5E:FD:F8:D0:
                                87:5C:14:A0:4E:95:9E:B9:03:2F:D9:0E:8C:2E:79:B8
                    Timestamp : Jul 30 03:07:14.965 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:1E:EC:4A:D9:E1:FD:DC:D1:72:68:C5:74:
                                DE:46:FA:DC:EA:D9:AB:D0:B3:C5:B6:15:F5:C9:D2:E6:
                                4C:C4:46:7D:02:20:47:58:3D:DD:EB:67:D6:EA:82:49:
                                98:94:6D:1F:54:3D:40:C9:72:FD:44:86:B2:23:BA:CD:
                                98:7B:2E:4D:7D:A4
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : E6:D2:31:63:40:77:8C:C1:10:41:06:D7:71:B9:CE:C1:
                                D2:40:F6:96:84:86:FB:BA:87:32:1D:FD:1E:37:8E:50
                    Timestamp : Jul 30 03:07:14.980 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:8F:15:74:5C:0A:C1:10:E2:80:A2:6F:
                                2C:BA:22:62:3B:98:BE:29:A1:E2:11:D9:57:AB:30:58:
                                15:1D:6C:AF:CF:02:21:00:9D:87:86:4A:3C:59:67:77:
                                F6:23:F6:F8:14:11:1F:B8:8D:F1:4B:93:8A:60:EA:CB:
                                9B:B5:F3:62:AF:74:ED:03
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        38:bc:fb:5c:15:81:13:ac:df:ae:24:88:e5:eb:09:99:5d:e5:
        97:f0:2a:99:d4:7a:39:8d:2b:de:47:24:19:4d:65:6a:69:91:
        f8:31:f1:42:4e:e4:09:fe:8b:6c:ff:83:9c:2d:3c:ed:89:54:
        0c:2e:85:33:0a:84:56:01:cd:d7:7a:f8:54:95:cc:ca:b3:7e:
        38:6b:28:b4:de:3e:06:1f:f1:6b:4a:c7:59:37:c2:50:83:3b:
        0a:9b:7e:5b:26:dd:82:20:79:1b:60:ca:30:99:d1:2f:28:da:
        9c:94:b1:97:ec:ff:07:57:dc:da:23:4f:17:6c:e9:b6:5e:b1:
        c5:1e:36:28:37:83:d7:72:0b:3e:17:e1:24:2a:d6:f3:d1:a6:
        4e:3a:99:13:d9:48:ff:bf:e2:0a:86:5e:04:db:80:d8:bc:42:
        35:46:3e:0d:7f:e4:b5:df:5a:d0:4b:25:f1:92:9a:4a:06:3f:
        b2:a5:75:78:be:98:59:5c:13:26:37:44:cf:a4:4f:7d:c4:f0:
        4e:71:af:72:0c:e0:47:cd:c9:b3:59:b7:68:df:fd:c8:60:0e:
        32:f6:ad:cd:df:86:1a:dc:fb:33:6b:41:7d:78:2d:1d:7b:8f:
        2b:f0:51:a4:b5:9e:56:b3:f6:36:2f:f9:17:d3:e2:24:ea:82:
        18:83:5d:90
2

Does your question have anything at all to do with the Let's Encrypt certificate authority? Because I can't see the connection.

4 Likes
3

Have you checked the Kaspersky forum/help channels?

3 Likes
4

That one is for just the name

And this one is for the name and for the IP

  0f:c1:4a:6a:ba:8f:3e:34:35:8f:56:4f:b1:7c:52:20

Could just depend on how the service is begin accessed (e.g., IP only).

[and they are for *.one.one.one, rather than one.one.one.one]

5 Likes
5

That is NOT a covered name.
Nor does it even resolve in DNS.
Someone must have changed that original text.

3 Likes
6

Certificate Transparency -> Log entries for this certificate:

2024-09-27  03:40:20 UTC	85421597	Let's Encrypt	https://oak.ct.letsencrypt.org/2025h1

I think it is related and I try to understand what is going on.

Is it a fake certificate and my ISP try to do DNS spoofing?

7

Have you tried changing your DNS provider?

1 Like
8

I asked them and they replied that the massage will keep show up if you don't trust it, but they gave my the portability that is might the ISP trying to do something and my country have a problem something like this, and asked me If I trust my ISP or not? I said No

9

I always use 1.1.1.1

10

Perhaps someone is intercepting your DNS requests to 1.1.1.1
Try:
8.8.8.8
9.9.9.9
4.2.2.2

2 Likes
11

So Let's Encrypt logged it. So what? The cert isn't from Let's Encrypt, as you've shown yourself. I'd be asking Kaspersky about it; they're the ones that flagged it.

4 Likes
12 
Authority Information Access: 
                OCSP - URI:http://o.pki.goog/s/we1/NXE
                CA Issuers - URI:http://i.pki.goog/we1.crt

I think the certificate got created by WE1 authority, what does it means?

13

What are you doing [exactly] that triggers this security warning message?

2 Likes
14

Yes, but I can't upload a screenshot

Screenshot 2024-10-30 at 11.20.25 AM
Screenshot 2024-10-30 at 11.20.25 AM1420×922 137 KB

15

I'm confused...
Why would you need to connect to https://one.one.one.one ?

1 Like
16

This is my DNS settings, and I remember when I used 8.8.8.8 I was getting similar message.

Screenshot 2024-10-30 at 3.41.18 PM
Screenshot 2024-10-30 at 3.41.18 PM1306×816 47.5 KB

17

I don't think your DNS is using HTTPS.
What site are you trying to reach that Kaspersky prompts you with that warning message?

Have you tried using a VPN?

1 Like
18

Randomly not related to specific website, when I use VPN the message never showed up

Note: OpenVPN is blocked in Egypt and I have to use WireGuard or over ssh tunnel

19

Seems to me that someone is intercepting your connections.

2 Likes
20

Screenshot 2024-10-30 at 3.58.42 PM
Screenshot 2024-10-30 at 3.58.42 PM1920×2259 217 KB