Unbound DoT with LetsEncrypt certificate
Peter Hessler
phessler at theapt.org
Wed Jan 31 17:23:32 UTC 2024
On 2024 Jan 31 (Wed) at 17:14:22 +0000 (+0000), Bruno Blanes via Unbound-users wrote:
:Has anyone been able to use DoT upstream with a LetsEncrypt certificate? I know they don't issue certificates on bare IP addresses and therefore the upstream server may not be able to verify Unbound's signature based only on the domain name.
:
:Do I need a certificate for Unbound's IP address for DoT to work? If so, is there a free CA that emits those?
I am doing DoT with a hostname, but sadly no bare IPs in the
certificate. I just got a regular certificate using ACME, saved it to a
spot unbound can read and just send a reload when it changes.
RIPE NCC did try to deploy Discovery of Designated Resolvers (RFC9462),
which depends on bare IPs in the cert, at the RIPE 87 meeting in December
2023, but found that LE does not support bare IPs.
For more details:
https://ripe87.ripe.net/archives/video/1267/
Starting at Page 15 of the slides
Starting at 9:00 of the video
--
What I've done, of course, is total garbage.
-- R. Willard, Pure Math 430a
More information about the Unbound-users
mailing list