Lower cert renewal to 4 hours

[df-cryptostorm]

The default https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml does:
cert_refresh_delay = 240
to refresh the cert every 4 hours, but encrypted-dns-server defaults to every 8 hours.
So anyone using the default example-dnscrypt-proxy.toml settings to connect to an encrypted-dns-server instance will start getting those "No useable certificate found" errors after 4 hours.
Probably should lower the refresh here to 4 hours, unless I missed a config directive for encrypted-dns-server that'll do it.
If there's not a config directive, could create one that allows changing DNSCRYPT_CERTS_RENEWAL using the config, and have it default there to 4 hours.

[jedisct1]

dnscrypt-proxy can check for a new certificate more frequently, this shouldn't be a problem. If the certificate didn't change, it should keep using the previous one.

As long as the server key rotation is less frequent than client refreshes, No useable certificate found is unexpected. The root cause must be something else. Maybe related to an issue people recently reported with dnscrypt-proxy after version 2.0.28.

I'm going to investigate. But lowering the key rotation on the server can only make things worse.

[jedisct1]

Running the client with:

env DEBUG=1 ./dnscrypt-proxy -loglevel 0`

provides a bit more information, including the reason why a certificate wouldn't be usable. Could the clock be off on one of the servers?

[df-cryptostorm]

Definitely not on the server, all of our servers run ntpdate pool.ntp.org occasionally to ensure the clock is synced up. Client-side clock might have been messed up, not sure since it was a customer of our's. The only information they gave us was:

[...] dnscrypt-proxy[149367]: Source [/var/cache/dnscrypt-proxy/public-resolvers.md] loaded
[...] dnscrypt-proxy[149367]: Firefox workaround initialized
[...] dnscrypt-proxy[149367]: Now listening to 127.0.0.1:53 [UDP]
[...] dnscrypt-proxy[149367]: Now listening to 127.0.0.1:53 [TCP]
[...] dnscrypt-proxy[149367]: No useable certificate found
[...] dnscrypt-proxy[149367]: dnscrypt-proxy is waiting for at least one server to be reachable
[...] dnscrypt-proxy[149367]: [cs-fi] TIMEOUT
[...] dnscrypt-proxy[149367]: [cs-nl2] TIMEOUT
[...] dnscrypt-proxy[149367]: [cs-ca] TIMEOUT

but I tested locally with dnscrypt-proxy and got the same thing, and my clock is accurate.
Checked all the servers and they were running encrypted-dns and all the IPs/ports were reachable.
Restarting encrypted-dns everywhere seemed to fix the issue, so I threw together a cron script that automates that... but I thought that step wasn't needed anymore? With dnscrypt-wrapper it was, but I was under the impression that encrypted-dns handled cert renewal automatically?

EDIT:
I guess one way to test is to disable the cron script, wait 8 hours, then try again and see if the same error occurs.

EDIT (again):
Been a little over 8 hours, I'm not seeing any issues.... shrug

[jedisct1]

Restarting should not be required any more.

I tagged a new version and updated the container. Do you think you could check if that definitely solves the issue you reported?

[jedisct1]

Looks like cs-uk is currently serving a bad signature. Other servers are fine.
Would you mind taking a look?