search

raelinasndah / dnscrypt

0 stars 0 forks source link

Unable to retrieve server sertificates on dnsCrypt #1

Open raelinasndah opened 8 years ago

raelinasndah commented 8 years ago

I keep found this error when i run my dnscrypt-proxy.

dnscrypt-proxy -a 127.0.0.1:55 -r 0.0.0.0:5334 --provider-name=2.dnscrypt-cert.nawala.org --provider-key=D421:E4B0:496A:28D7:8DB5:4CF2:18EA:931D:3D78:A5B9:9602:A612:AD2B:95C9:EE6E:6004

[NOTICE] Starting dnscrypt-proxy 1.4.1 [INFO] Initializing libsodium for optimal performance [INFO] Generating a new key pair [INFO] Done [ERROR] Unable to retrieve server certificates [INFO] Refetching server certificates

Which sertificate should i updated?

jedisct1 commented 8 years ago

Nawala doesn't seem to support the dnscrypt protocol any more.

raelinasndah commented 8 years ago

thnks for your respond @jedisct1 . i wanna ask a little bit more. im running our own dns server (nawala) that i used on compiling above. should i update our dnscrypt sertificate? i tought it doesn't have an expiry date. if i must to, how can i do that?

jedisct1 commented 8 years ago

Hi,

There is a long-term key pair, that never expires (usually stored as public.key and secret.key), which is only used to sign the certificates.

The certificates themselves do have an expiration date.

For forward secrecy (the inability to decrypt previously recorded communications, even if the secret key is known), the protocol specification recommends rotating the certificates every 24 hours. By default, dnscrypt-wrapper makes them valid for a year, though.

If you still have the signing key (secret.key), the public key required to connect to your server doesn't have to change. You just need to issue a new ephemeral key and its certificate signed with the same long-term key:

dnscrypt-wrapper --gen-crypt-keypair --crypt-secretkey-file=1.key
dnscrypt-wrapper --gen-cert-file --crypt-secretkey-file=1.key --provider-cert-file=1.cert

The, restart dnscrypt-wrapper with this ephemeral key and cert:

dnscrypt-wrapper ... --crypt-secretkey-file=1.key --provider-cert-file=1.cert

Alternatively, take a look at the DNSCrypt server Docker image, which automatically performs key rotation (every 12 hour).

jedisct1 commented 8 years ago

dnscrypt-proxy (the client) also has an option to alert you if a certificate is going to expire.

Ex:

dnscrypt-proxy --test 60 -R dnscrypt.org-fr

Is going to check if the certificate will remain valid for the next 60 minutes, and return an appropriate exit code. You can have a cron job that runs this periodically and sends you an alert if a certificate is about to expire.