jedisct1
commented
1 year ago Hi!
If the cert in the stamp is found, no matter at which position, validation will pass.
You should pick a cert that is not going to change too frequently.
In your case, there are two certs:
- The actual Let's Encrypt one. It's the CA, it's not going to change frequently.
- The ISRG cert, that signs the Let's Encrypt one. It's a hack for very old operating systems that don't know about Let's Encrypt as a CA.
If the stamp has the Let's Encrypt hash, the domain needs to be signed by Let's Encrypt.
If the stamp has the ISRG hash, the domain can be signed by Let's Encrypt, or anything ISRG is also signing, that can be completely unrelated to Let's Encrypt.
TLDR: the latter is a superset of the former, so for that special case, using the former, which is that actual CA, is safer.
MeganerdNL
I'm a little confused which hash I should use and fill in here. When I do
.\dnscrypt-proxy -show-certswith the hash-less sdns address as the only server I get 3 and it says here that I should use the last one, but somewhere else that I should use the LE R3 one.This is the output of
.\dnscrypt-proxy -show-certs[2023-09-23 16:12:44] [NOTICE] Advertised cert: [CN=example.com] [337e3314f612e8e6d8e450383e2c446cd4c9defadef7059f8a1324e6e0c27be2] [2023-09-23 16:12:44] [NOTICE] Advertised cert: [CN=R3,O=Let's Encrypt,C=US] [444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce] [2023-09-23 16:12:44] [NOTICE] Advertised cert: [CN=ISRG Root X1,O=Internet Security Research Group,C=US] [11b102e6b1f63e528984d6025f32b138241fc88bbd7519574d70c9832d53e1e8]