Getting CRYPTO_ERROR (0x12a)

[dmmoulya]

Hello, I'm trying to establish DNS over quic.

On my server I'm running Bind, and using bind as an upstream to the DNS proxy. ./dnsproxy --quic-port=853 --tls-crt=myserver.crt --tls-key=myserver.key -u 127.0.0.1:53 -p 0

I'm running the following on my client machine to talk to dnsproxy on my server using dns over quic. ./dnsproxy -u quic://server_ip:853 -p 53

When I tried retrieving the record from server in my client, getting the following error at my server side proxy got error when accepting a new QUIC stream: CRYPTO_ERROR (0x12a): tls: bad certificate

I have used self generated certificate. How do I solve this error?

[ameshkov]

Well, something is wrong with the certs, but it's hard to say what exactly.

I found nothing useful in https://github.com/lucas-clemente/quic-go that could point to an answer. How exactly do you generate that self-signed cert?

[dmmoulya]

Followed the steps from below site to generate certs: Link

[ameshkov]

The website suggests using -des3, try not using it.

Something like that:

openssl genrsa -out demo.key 2048
openssl req -new -x509 -key demo.key -out demo.crt -days 3650

[mschirrmeister]

I see the same error. My certificate is from LetsEncrypt and it is an EC256 and not a RSA. I do not have a valid RSA cert right now to test with. But could an EC cert be a reason for such an issue?

[mschirrmeister]

I can rule out my last comment. I did actually use the wrong certificate compared to the name I accessed. So the error was valid, since it was a name mismatch.

If a self signed cert is used, all will be good, as long as the client trusts the CA, I guess.