-
-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lower cert renewal to 4 hours #13
Conversation
The default https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml does: cert_refresh_delay = 240 to refresh the cert every 4 hours, but encrypted-dns-server defaults to every 8 hours. So anyone using the default example-dnscrypt-proxy.toml settings to connect to an encrypted-dns-server instance will start getting those "No useable certificate found" errors after 4 hours. Probably should lower the refresh here to 4 hours, unless I missed a config directive for encrypted-dns-server that'll do it. If there's not a config directive, could create one that allows changing DNSCRYPT_CERTS_RENEWAL using the config, and have it default there to 4 hours.
As long as the server key rotation is less frequent than client refreshes, I'm going to investigate. But lowering the key rotation on the server can only make things worse. |
Running the client with: env DEBUG=1 ./dnscrypt-proxy -loglevel 0` provides a bit more information, including the reason why a certificate wouldn't be usable. Could the clock be off on one of the servers? |
Definitely not on the server, all of our servers run
but I tested locally with dnscrypt-proxy and got the same thing, and my clock is accurate. EDIT: EDIT (again): |
Also don't use mem::forget() for the updater, because who knows, Rust optimizations may be too aggressive. Maybe Fixes #13
Restarting should not be required any more. I tagged a new version and updated the container. Do you think you could check if that definitely solves the issue you reported? |
Looks like |
The default https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml does:
cert_refresh_delay = 240
to refresh the cert every 4 hours, but encrypted-dns-server defaults to every 8 hours.
So anyone using the default example-dnscrypt-proxy.toml settings to connect to an encrypted-dns-server instance will start getting those "No useable certificate found" errors after 4 hours.
Probably should lower the refresh here to 4 hours, unless I missed a config directive for encrypted-dns-server that'll do it.
If there's not a config directive, could create one that allows changing DNSCRYPT_CERTS_RENEWAL using the config, and have it default there to 4 hours.