search

zoonderkins / blahdns

A small hobby ads block dns project with doh, dot, dnscrypt support.
https://blahdns.com
GNU Affero General Public License v3.0
433 stars 25 forks source link

DST Root CA X3 cert expired #220

Closed daemonserj closed 2 years ago

daemonserj commented 2 years ago

dot-ch won't work with Android 10. DST Root CA X3 certificate expired 30.09.2021 I've attached all certs from handshake, if it needs I can provide full tcpdump.

daemonserj commented 2 years ago

certs.zip

daemonserj commented 2 years ago

It seems it's LetsEncrypt issue. What can you advise?

LogicaBorealis commented 2 years ago

I can confirm the issue. BlahDNS is broken on Android 11 and 9 as well. I did not take the time for in-depth investigation but it seems consistent with the certificate problem you describe.

daemonserj commented 2 years ago

LetsEncrypt community discussion

zoonderkins commented 2 years ago

@daemonserj @LogicaBorealis

Switched from Let's Encrypt to ZeroSSL Now everything on Switzerland server should be okay. I will replace the others Server once I get off work. 

kdig example.com +tls +tls-host=dot-ch.blahdns.com +tls-ca -d @dot-ch.blahdns.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(dot-ch.blahdns.com), port(853), protocol(TCP)
;; DEBUG: TLS, imported 129 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=dot-ch.blahdns.com
;; DEBUG:      SHA-256 PIN: cxti1XR6uW483xAioP3d1ZaoGSy+obY6WaE4fW1A6Nk=
;; DEBUG:  #2, C=AT,O=ZeroSSL,CN=ZeroSSL RSA Domain Secure Site CA
;; DEBUG:      SHA-256 PIN: R3hcMOAGw0WFztuG2skTodoHp8IGid3Qg63Cn7YUYoM=
;; DEBUG:  #3, C=US,ST=New Jersey,L=Jersey City,O=The USERTRUST Network,CN=USERTrust RSA Certification Authority
;; DEBUG:      SHA-256 PIN: x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 37561
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; example.com.             IN  A

;; ANSWER SECTION:
example.com.            86333   IN  A   93.184.216.34

;; Received 56 B
;; Time 2021-10-01 02:56:06 EDT
;; From 2a0e:dc0:6:23::2@853(TCP) in 0.1 ms

Tested from Oneplus 9 also working now.

daemonserj commented 2 years ago

For dot-ch problem fixed. Thanks!

zoonderkins commented 2 years ago

Should be fixed now, please try again 😄

minoplhy commented 2 years ago

wait, The expired one is DST Root CA X3 not ISRG Root X1

LogicaBorealis commented 2 years ago

Quickly fixed. Thank you!