TLS Handshake failed (Error in certificate)

trish · 7 January 2021 05:16

Here are some “kdigs”

kdig @89.233.43.71  +dnssec +bufsize=1232 +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls-hostname=unicast.censurfridns.dk -d
;; DEBUG: Querying for owner(.), class(1), type(2), server(89.233.43.71), port(853), protocol(TCP)
;; DEBUG: TLS, imported 138 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=unicast.censurfridns.dk
;; DEBUG:      SHA-256 PIN: INSZEZpDoWKiavosV2/xVT8O83vk/RRwS+LTiL+IpHs=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=R3
;; DEBUG:      SHA-256 PIN: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded.
;; WARNING: TLS, handshake failed (Error in the certificate.)
;; ERROR: failed to query server 89.233.43.71@853(TCP)

 kdig @91.239.100.100 +dnssec +bufsize=1232 +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls-hostname=anycast.censurfridns.dk -d
;; DEBUG: Querying for owner(.), class(1), type(2), server(91.239.100.100), port(853), protocol(TCP)
;; DEBUG: TLS, imported 138 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=kracon.anycast.censurfridns.dk
;; DEBUG:      SHA-256 PIN: 6eW98h0+xxuaGQkgNalEU5e/hbgKyUoydpPMY6xcKyY=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=R3
;; DEBUG:      SHA-256 PIN: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded.
;; WARNING: TLS, handshake failed (Error in the certificate.)
;; ERROR: failed to query server 91.239.100.100@853(TCP)

trish · 7 January 2021 05:37

Thank you @bonnietwin for the follow up.and updating the
Recommended Public DNS servers

I was just looking on their own Wiki updated in September 2019 and they have the wrong address:
dot.ffmuc.net - 5.1.66.255

bonnietwin · 7 January 2021 08:11

Hi @trish

5.1.66.255 is the correct ip address now, obviously changed quite some time ago.

The old address from the wiki was 195.30.94.28 and this still worked with no errors until a few days ago. Then I got the certificate expiry error message. Looks like the left the old ip address still operating when they changed in 2019 or so.

From checking the host info anycast01.ffmuc.net is the actual hostname for 5.1.66.255.
Both dot.ffmuc.net and doh.ffmuc.net are aliases for anycast01.ffmuc.net.

-bash-5.0$ host dot.ffmuc.net
dot.ffmuc.net is an alias for anycast01.ffmuc.net.
anycast01.ffmuc.net has address 5.1.66.255
anycast01.ffmuc.net has IPv6 address 2001:678:e68:f000::

I see that you are currently getting errors on the censurfridns anycast address It might be good if you let Thomas know about that. My anycast address is still showing OK, but as Peter said that is not surprising from an anycast address, so I only raised the unicast address with Thomas.

bonnietwin · 11 January 2021 09:20

Never got a reply from Thomas Rasmussen at censurfridns but the unicast dns server now has OK for status again.

Will periodically keep an eye on it to see if it stays like that.

trish · 13 January 2021 20:46

Thank you @bonnietwin for the follow up.
Actually 5.1.66.255 has been working great even though rDNS reports an error.
Thank you for that

I also never got a reply from Thomas but looks like he did fix the cert issue again for both anycast and unicast.