TLS Handshake failed (Error in certificate)

I have been using anycast.censurfridns.dk (91.239.100.100) without any issues and a few weeks ago I started seeng an “Error” when I click “Check DNS”

All other servers are working fine DNS over TLS

I removed the server and added it again, same error.

Only thing that could have change is something I saw on the

operator’s Blog on October 4, 2020

all the servers got new ECDSA keys and certificates, which will be used for TLS instead of the RSA ones

What else could I look up for troubleshooting?

Hi,

this issue can be reproduced with the unicast instance of that provider as well:

[root@maverick ~]# kdig @89.233.43.71 +dnssec +bufsize=1232 +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls-hostname=unicast.censurfridns.dk -d
;; DEBUG: Querying for owner(.), class(1), type(2), server(89.233.43.71), port(853), protocol(TCP)
;; DEBUG: TLS, imported 138 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=unicast.censurfridns.dk
;; DEBUG:      SHA-256 PIN: INSZEZpDoWKiavosV2/xVT8O83vk/RRwS+LTiL+IpHs=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
;; DEBUG:      SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. 
;; WARNING: TLS, handshake failed (Error in the certificate.)
;; ERROR: failed to query server 89.233.43.71@853(TCP)

Interesting to see, will dig deeper in order to find out what exactly goes wrong here…

EDIT: This looks like the certificate comes with the “OCSP must staple”-flag set, but the OCSP information provided is too old - perhaps a broken cron job at the operators’ side?

Thanks, and best regards,
Peter Müller

3 Likes

Thank you will try to follow up

Hi,

it looks like this error has been fixed meanwhile by the DoT server operator. :slight_smile:

Thanks, and best regards,
Peter Müller

1 Like

The unicast address works now but the anycast address still shows Error.

1 Like

Same error as before.

kdig @91.239.100.100 +dnssec +bufsize=1232 +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls-hostname=anycast.censurfridns.dk -d
;; DEBUG: Querying for owner(.), class(1), type(2), server(91.239.100.100), port(853), protocol(TCP)
;; DEBUG: TLS, imported 138 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=solido.anycast.censurfridns.dk
;; DEBUG:      SHA-256 PIN: x72/vIQoOu7mCuu1cSbeqOZNv9u+mK/2UtKjXDi0hto=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
;; DEBUG:      SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. 
;; WARNING: TLS, handshake failed (Error in the certificate.)
;; ERROR: failed to query server 91.239.100.100@853(TCP)
1 Like

Yes it looks Thomas was able to fix it.

I get green OK :nauseated_face: for both Unicast and Anycast, and no erorrs.

I thought maybe I had just been too quick with my testing of the anycast option. So I have waited to the following day but on my system it still comes up showing Error against the anycast but works fine for the unicast.
I will feed it back to censurfridns but I have enough other tls based options running fine in my list.

1 Like

Hi,

since the anycast instance of this service most possibly redirects you to different systems based on the location your query comes from, it seems like some of those systems still server outdated OCSP information, while some do not.

The user experience will therefore depend on the users location… Did I mention I do not really like anycast? :slight_smile:

Thanks, and best regards,
Peter Müller

1 Like