Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error using DOQ or DTLS as protocol in resolvers: CRYPTO_ERROR 0x12a (local): tls: failed to verify certificate: x509... #327

Closed
Fijxu opened this issue Aug 26, 2023 · 6 comments · Fixed by #329
Closed

Error using DOQ or DTLS as protocol in resolvers: CRYPTO_ERROR 0x12a (local): tls: failed to verify certificate: x509... #327

Fijxu opened this issue Aug 26, 2023 · 6 comments · Fixed by #329

Comments

@Fijxu
Copy link

Fijxu commented Aug 26, 2023

For some strange reason, after updating routedns, now I get this error and I can't resolve any domain using DoQ or DTLS:

level=error msg="failed to resolve" addr="127.0.0.1:53" client=127.0.0.1 error="CRYPTO_ERROR 0x12a (local): tls: failed to verify certificate: x509: cannot validate certificate for 37.252.251.157 because it doesn't contain any IP SANs"

(37.252.251.157 is the NextDNS DNS server`)

This is my very simple config, it doesn't have anything important on it:

[bootstrap-resolver]
address = "1.1.1.1:853"
protocol = "dot"

[resolvers.nextdns]
address = "dns.nextdns.io:853"
protocol = "doq"

# This will cache results
[groups.cache]
type = "cache"
resolvers = ["nextdns"]
backend = {type = "memory", size = 1000}
cache-negative-ttl = 300
cache-answer-shuffle = "round-robin"

[listeners.local-udp]
address = "127.0.0.1:53"
protocol = "udp"
resolver = "cache"

Before updating (I don't remember the commit) it worked without any problems. I tried https://github.com/AdguardTeam/dnsproxy using a similar config, using dns.nextdns.io:853 as DoQ resolver and it resolves as intended. Any clues? Thanks in advance.
@Fijxu Fijxu changed the title Error using DOQ or DTLS as protocol resolvers: CRYPTO_ERROR 0x12a (local): tls: failed to verify certificate: x509... Error using DOQ or DTLS as protocol in resolvers: CRYPTO_ERROR 0x12a (local): tls: failed to verify certificate: x509... Aug 26, 2023
@cbuijs
Copy link
Contributor

cbuijs commented Aug 26, 2023

Had this as well and went away after I added server-name to the resolver section. Use the same hostname as in the address.

@folbricht
Copy link
Owner

This does look like a bug, probably happened when the QUIC library was updated in #323

@folbricht folbricht mentioned this issue Aug 26, 2023
Merged
@folbricht
Copy link
Owner

There was a change in the upstream quic library. I put a fix on the issue-327 branch if you want to try it out.

archlinux-github pushed a commit to archlinux/aur that referenced this issue Aug 26, 2023
Fix issue 327: CRYPTO_ERROR 0x12a
5baffe7 
folbricht/routedns#327
@Fijxu
Copy link
Author

Fijxu commented Aug 26, 2023

There was a change in the upstream quic library. I put a fix on the issue-327 branch if you want to try it out.

Now works perfectly without any problems when connecting to a DoQ Server. I will not close this issue until this is pushed to master branch ;)

@charlieporth1
Copy link
Collaborator

@Fijxu just to confirm you have tested this branch. If you have. I will add myself to review and review it so it can be merged asap

@Fijxu
Copy link
Author

Fijxu commented Aug 27, 2023

@Fijxu just to confirm you have tested this branch. If you have. I will add myself to review and review it so it can be merged asap

Yes, I tested it and it has been working for hours (because I use routedns as DNS resolver on my personal laptop)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Set ServerName for DoQ TLS validation explicitly folbricht/routedns
4 participants
@folbricht @cbuijs @charlieporth1 @Fijxu