Unbound DoT with LetsEncrypt certificate
Bruno Blanes
bruno.blanes at outlook.com
Wed Jan 31 17:51:04 UTC 2024
Thanks for the video link. I am wondering how you managed to get DoT working with a hostname. I get the following error when trying to do DoT upstream:
notice: ssl handshake failed 8.8.8.8 port 853
[1706721743] unbound[15556:2] error: ssl handshake failed crypto error:0A000086:SSL routines::certificate verify failed
> -----Original Message-----
> From: Peter Hessler <phessler at theapt.org>
> Sent: Wednesday, January 31, 2024 2:24 PM
> To: Bruno Blanes <bruno.blanes at outlook.com>
> Cc: unbound-users at lists.nlnetlabs.nl
> Subject: Re: Unbound DoT with LetsEncrypt certificate
>
> On 2024 Jan 31 (Wed) at 17:14:22 +0000 (+0000), Bruno Blanes via
> Unbound-users wrote:
> :Has anyone been able to use DoT upstream with a LetsEncrypt certificate? I
> know they don't issue certificates on bare IP addresses and therefore the
> upstream server may not be able to verify Unbound's signature based only on
> the domain name.
> :
> :Do I need a certificate for Unbound's IP address for DoT to work? If so, is there
> a free CA that emits those?
>
> I am doing DoT with a hostname, but sadly no bare IPs in the certificate. I just
> got a regular certificate using ACME, saved it to a spot unbound can read and
> just send a reload when it changes.
>
>
> RIPE NCC did try to deploy Discovery of Designated Resolvers (RFC9462),
> which depends on bare IPs in the cert, at the RIPE 87 meeting in December
> 2023, but found that LE does not support bare IPs.
>
> For more details:
> https://ripe87.ripe.net/archives/video/1267/
> Starting at Page 15 of the slides
> Starting at 9:00 of the video
>
>
> --
> What I've done, of course, is total garbage.
> -- R. Willard, Pure Math 430a
More information about the Unbound-users
mailing list