jedisct1
commented
3 months ago Thank you!
Closed farrokhi closed 3 months ago
jedisct1
commented
3 months ago Thank you!
jedisct1
commented
3 months ago TLS hashes don't seem to be correct.
I think it should be b01920744bbb76c9ab053e01e07b7e050e473d20f79f7bea435fafe43c9d242f, not 2a15f5d6acb6e7c0901ade4ebbc743b2ccd489032b46e1642f0693683001258a:
[2024-08-07 12:59:39] [NOTICE] Advertised cert: [CN=dns.quad9.net,O=Quad9,L=Zurich,ST=Zurich,C=CH] [e3e13daef1fd3012db80b3b002b5d2a7f24a7c8bb82b318694bdcaf061d1ba02]
[2024-08-07 12:59:39] [NOTICE] Advertised cert: [CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1,O=DigiCert Inc,C=US] [b01920744bbb76c9ab053e01e07b7e050e473d20f79f7bea435fafe43c9d242f]
[2024-08-07 12:59:39] [CRITICAL] [quad9-doh-ip4-port443-filter-pri] Certificate hash [2a15f5d6acb6e7c0901ade4ebbc743b2ccd489032b46e1642f0693683001258a] not foundAh, actually the issue seems to be that quad9-resolvers-doh.md was updated, but not quad9-resolvers.md that encompasses both DNSCrypt and DoH.
whyisthisbroken
commented
3 months ago So DOH dont work ? ive got the same error every time. [CRITICAL] [quad9-doh-ip6-port5053-filter-alt2] Certificate hash [2a15f5d6acb6e7c0901ade4ebbc743b2ccd489032b46e1642f0693683001258a] not found
farrokhi
commented
3 months ago These commits should have addressed the issue: https://github.com/Quad9DNS/dnscrypt-settings/commit/5da49928f4a734e9d3a259b904e36b5260840c38 and https://github.com/Quad9DNS/dnscrypt-settings/commit/81de2fca0879ceced82f3c8829e47be9eaf6a99e
DoH stamps were using the new certificate hash, but not the DoT stamps.
/cc @jedisct1
jedisct1
commented
3 months ago Yep, looks good!
Thank you!
Quad9 had updated the TLS certificate which is now signed by a new intermediary. Since the fingerprint for the certificate has changed, we need to update the stamps to reflect the change. While at it, we also rotated the minisign key and signed all the files using the new key.