Unbound DoT with LetsEncrypt certificate
Peter Hessler
phessler at theapt.org
Wed Jan 31 18:55:04 UTC 2024
I don't use upstream forwarding or anything like that. I only use DoT
as a server.
But that error suggests that unbound doesn't know how to verify the
certificate given by Google. 1) make sure you are running ntp and have
correct time, and 2) add the cert bundle with
'tls-cert-bundle: "/etc/ssl/cert.pem"'. The path is correct for OpenBSD,
if you are using a different OS then adjust to the relevant path.
-peter
On 2024 Jan 31 (Wed) at 17:51:04 +0000 (+0000), Bruno Blanes wrote:
:Thanks for the video link. I am wondering how you managed to get DoT working with a hostname. I get the following error when trying to do DoT upstream:
:notice: ssl handshake failed 8.8.8.8 port 853
:[1706721743] unbound[15556:2] error: ssl handshake failed crypto error:0A000086:SSL routines::certificate verify failed
:
:> -----Original Message-----
:> From: Peter Hessler <phessler at theapt.org>
:> Sent: Wednesday, January 31, 2024 2:24 PM
:> To: Bruno Blanes <bruno.blanes at outlook.com>
:> Cc: unbound-users at lists.nlnetlabs.nl
:> Subject: Re: Unbound DoT with LetsEncrypt certificate
:>
:> On 2024 Jan 31 (Wed) at 17:14:22 +0000 (+0000), Bruno Blanes via
:> Unbound-users wrote:
:> :Has anyone been able to use DoT upstream with a LetsEncrypt certificate? I
:> know they don't issue certificates on bare IP addresses and therefore the
:> upstream server may not be able to verify Unbound's signature based only on
:> the domain name.
:> :
:> :Do I need a certificate for Unbound's IP address for DoT to work? If so, is there
:> a free CA that emits those?
:>
:> I am doing DoT with a hostname, but sadly no bare IPs in the certificate. I just
:> got a regular certificate using ACME, saved it to a spot unbound can read and
:> just send a reload when it changes.
:>
:>
:> RIPE NCC did try to deploy Discovery of Designated Resolvers (RFC9462),
:> which depends on bare IPs in the cert, at the RIPE 87 meeting in December
:> 2023, but found that LE does not support bare IPs.
:>
:> For more details:
:> https://ripe87.ripe.net/archives/video/1267/
:> Starting at Page 15 of the slides
:> Starting at 9:00 of the video
:>
:>
:> --
:> What I've done, of course, is total garbage.
:> -- R. Willard, Pure Math 430a
--
Leibowitz's Rule:
When hammering a nail, you will never hit your finger if you
hold the hammer with both hands.
More information about the Unbound-users
mailing list