Hey,
Could you try that again? I removed the OCSP must-staple flag from the certificate.
-Michael
On 10 Dec 2018, at 14:37, ummeegge ummeegge@ipfire.org wrote:
Great that you looked over it, have tested it again and the kdig report differs which looks now like this:
;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP) ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca- bundle.crt' ;; DEBUG: TLS, received certificate hierarchy: ;; DEBUG: #1, CN=rec1.dns.lightningwirelabs.com ;; DEBUG: SHA-256 PIN: ZayzRhKLRWLL7v9QC0uEJEMomE572oNUuF4ocAxDQ7E= ;; DEBUG: #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 ;; DEBUG: SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg= ;; DEBUG: TLS, skipping certificate PIN check ;; DEBUG: TLS, The certificate is NOT trusted. The certificate requires the server to include an OCSP status in its response, but the OCSP status is missing. ;; WARNING: TLS, handshake failed (Error in the certificate.) ;; WARNING: failed to query server 81.3.27.54@853(TCP)
Exit status: 0
May this is helpful for you.
Best,
Erik
Am Montag, den 10.12.2018, 13:26 +0000 schrieb Michael Tremer:
Hey,
Thanks for reporting.
On 10 Dec 2018, at 12:32, ummeegge ummeegge@ipfire.org wrote:
A question, what happens with DoT on Lightningwirelabs -->
https://www.lightningwirelabs.com/2018/05/03/dns-over-tls-now-available-on-o...
? I get there an
$ kdig -d @81.3.27.54 +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls- host="ns1.lightningwirelabs.com" google.com; ;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP) ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca- bundle.crt' ;; WARNING: can't connect to 81.3.27.54@853(TCP) ;; WARNING: failed to query server 81.3.27.54@853(TCP)
I recently made a change which caused that unbound didn’t listen on the TLS port any more.
I fixed that now.
The correct host name for that server is rec1.dns.lightningwirelabs.com.
-Michael
.
Best,
Erik