stubby: Stubby unable to connect to Cloudflare's 1.1.1.1 (WINDOWS)
Stubby is unable to connect to 1.1.1.1 for DNS-over-TLS cause it cannot validate the certificate on Windows 10 Build 16299
Following configuration should work:
upstream_recursive_servers:
- address_data: 1.1.1.1
tls_pubkey_pinset:
- digest: "sha256"
value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
Unfortunatly it fails with a Verify failed : Transport=TLS - *Failure* - (20) "unable to get local issuer certificate"
This should really be fixed! Why doesn’t Stubby just use the Windows certificate store to validate the TLS certificates? - Even just a cacerts file would do it, so the users can edit it and add the required certificates if they want to set up their own DNS-over-TLS server within Stubby.
This is important!
Also see #46
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 2
- Comments: 54 (14 by maintainers)
Commits related to this issue
- Temporary fix for https://github.com/getdnsapi/stubby/issues/87. Detect and ignore duplicate certs in the root store. — committed to saradickinson/getdns by saradickinson 6 years ago
- Merge pull request #396 from saradickinson/bugfix/windows_certs Temporary fix for https://github.com/getdnsapi/stubby/issues/87. Dete… — committed to getdnsapi/getdns by wtoorop 6 years ago
- Merge pull request #393 from saradickinson/bugfix/windows_certs Temporary fix for https://github.com/getdnsapi/stubby/issues/87. Dete… — committed to getdnsapi/getdns by wtoorop 6 years ago
- Update to version 1.5.0 of getdns. Package changes: * PLIST adjustment; stubby no longer built by default Upstream changes: * 2018-12-21: Version 1.5.0 * RFE getdnsapi/stubby#121 log re-instantia... — committed to NetBSD/pkgsrc-wip by he32 5 years ago
echo | openssl s_client -connect '1.1.1.1:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64returnsyioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=So this seems to be working for me:
outputs
So, I guess, it does not work on my end.
Using this works for me:
@rwfeldmann Thanks for the logs. I looks to me that the version of getdns_query.exe you have is the latest and is working just fine which means that the very latest installer (0.0.4) should also work for you. From the log I believe you still have the 0.0.3 version of Stubby installed - can you re-install the latest version and test Stubby again please?
I’ve created a 0.0.4 installer with a custom fix for this issue - please see if this works. I’ve also opened https://github.com/getdnsapi/getdns/issues/392 to implement a review of this code and a fix for the CA path/file issue for the next release.
Fellows, haste makes waste, stop posting your “it works for me” without carefully reading first. Mr. @jankal stated clearly in the initial post that issue is related to Windows certificates store, which echoes last year still unresolved issue #46. Windows users have different state of certificates store, there are already three non-amateurs here (the author, @george-chakhidze and me), who suffer from this issue not because configuration is wrong, some whitespaces are omitted, or something else, but exactly because Stubby is a fledgling endeavour. And the only valuable feedback would come from Stubby’s maintainers, i.e. a fix.
@jankal This can be another problem, because the relevant part in my config is uncommented.
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED. And the log shows as:STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile@t5k6 My method is usually right but failed due to the certificate not being an RSA certificate. So I’m wrong with the sha256-pin
But even when I changed the sha256-pin, the error remains.
Unable to connect to Cloudflare over TLS either. Many other TLS resolvers work fine, Cloudflare’s DoH implementation works fine. So, I guess, there is something wrong with Stubby 0.0.2 for Windows. Please, fix it.