Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DNS-Over-TLS 证书问题 #122

Closed
rampageX opened this Issue Jan 2, 2019 · 12 comments

Comments

Projects
None yet
3 participants
@rampageX
Copy link

rampageX commented Jan 2, 2019

配置文件章节:

    {
      "Name": "DNS-HTTPS-TLS",
      "Address": "1.1.1.1:853",
      "Protocol": "tcp-tls",
      "Socks5Address": "",
      "Timeout": 6,
      "EDNSClientSubnet":{
        "Policy": "disable",
        "ExternalIP": ""
      }
    },

调试信息:

WARN[0043] Dial DNS-over-TLS upstream failed: x509: certificate signed by unknown authority

@qyb

This comment has been minimized.

Copy link
Contributor

qyb commented Jan 2, 2019

Address format is "servername:port@serverAddress", try one.one.one.one:853 or one.one.one.one:853@1.1.1.1

shawn1m added a commit that referenced this issue Jan 2, 2019

@shawn1m

This comment has been minimized.

Copy link
Owner

shawn1m commented Jan 2, 2019

README updated.

@shawn1m shawn1m closed this Jan 2, 2019

@rampageX

This comment has been minimized.

Copy link
Author

rampageX commented Jan 2, 2019

I tied one.one.one.one:853 and one.one.one.one:853@1.1.1.1, same here:

WARN[0033] Dial DNS-over-TLS upstream failed: x509: certificate signed by unknown authority

I found another DoT Client Stubby need a ca-file to work, like:

tls_ca_file: "/rom/cacert.pem"

Does overture need something like this?

@qyb

This comment has been minimized.

Copy link
Contributor

qyb commented Jan 3, 2019

是不是国内访问 1.1.1.1 被运营商 TCP 劫持了?你试一下 dns.rubyfish.cn:853 看看,我今天要是有时间也再测测

@rampageX

This comment has been minimized.

Copy link
Author

rampageX commented Jan 3, 2019

@qyb 应该不是运营商问题,我家里中国移动光纤和公司中国电信光纤都一样,而且用 Stubby 是没问题的。刚试过 dns.rubyfish.cn:853 还是一样报错。

@rampageX

This comment has been minimized.

Copy link
Author

rampageX commented Jan 3, 2019

@qyb 用 dns.rubyfish.cn:853,提示:

WARN[0033] Dial DNS-over-TLS upstream failed: x509: certificate signed by unknown authority

用 dns.rubyfish.cn:853@115.159.154.226,提示:

WARN[0027] Dial DNS-over-TLS upstream failed: x509: cannot validate certificate for 115.159.154.226 because it doesn't contain any IP SANs

@rampageX

This comment has been minimized.

Copy link
Author

rampageX commented Jan 3, 2019

InsecureSkipVerify: false, 需要设置为 true ?

InsecureSkipVerify: false,

@qyb

This comment has been minimized.

Copy link
Contributor

qyb commented Jan 3, 2019

如果是 debian/ubuntu,可能需要 ca-certificates 这个包?你安装了证书了吗

@qyb

This comment has been minimized.

Copy link
Contributor

qyb commented Jan 3, 2019

https://stackoverflow.com/questions/29286307/x509-certificate-signed-by-unknown-authority-both-with-docker-and-with-github 这个链接里把问题描述得比较清楚了。你可以自己用 openssl 连接 1.1.1.1:853 或者 one.one.one.one:853 , dns.rubyfish.cn:853 ,看看是否报证书错误 openssl s_client -showcerts -verify 32 -connect 1.1.1.1:853

@shawn1m shawn1m reopened this Jan 3, 2019

@shawn1m shawn1m added the bug label Jan 3, 2019

@rampageX

This comment has been minimized.

Copy link
Author

rampageX commented Jan 3, 2019

@qyb 感谢,问题已解决!x509 默认只在以下目录搜索证书:

	"/etc/ssl/certs",               // SLES10/SLES11, https://golang.org/issue/12139
	"/system/etc/security/cacerts", // Android
	"/usr/local/share/certs",       // FreeBSD
	"/etc/pki/tls/certs",           // Fedora/RHEL
	"/etc/openssl/certs",           // NetBSD

而我是在基于 Tomato 的路由器下运行 overture,使用 Entware 安装的证书默认在 /opt/ssl/certs 下,做链接后:

ln -s /opt/ssl/certs /etc/ssl/certs

再启动 overture 就没问题了!

DEBU[0037] Answer from DNS-TLS-rubyfish: gsp64-ssl.ls-apple.com.akadns.net.	108	IN	A	17.142.169.199
DEBU[0037] Answer from DNS-TLS-rubyfish: gsp64-ssl.ls-apple.com.akadns.net.	108	IN	A	17.142.169.200
DEBU[0038] Answer from DNS-TLS-cloudflare: gsp64-ssl.ls-apple.com.akadns.net.	28	IN	A	17.167.194.230
DEBU[0038] Answer from DNS-TLS-cloudflare: gsp64-ssl.ls-apple.com.akadns.net.	28	IN	A	17.167.192.225
DEBU[0038] Answer from DNS-TLS-cloudflare: gsp64-ssl.ls-apple.com.akadns.net.	28	IN	A	17.167.192.231
DEBU[0038] Answer from DNS-TLS-cloudflare: gsp64-ssl.ls-apple.com.akadns.net.	28	IN	A	17.167.194.224

@shawn1m 我看源码是支持设置证书目录的:

https://golang.org/src/crypto/x509/root_unix.go

const (
	// certFileEnv is the environment variable which identifies where to locate
	// the SSL certificate file. If set this overrides the system default.
	certFileEnv = "SSL_CERT_FILE"

	// certDirEnv is the environment variable which identifies which directory
	// to check for SSL certificate files. If set this overrides the system default.
	certDirEnv = "SSL_CERT_DIR"
)

是否可以在 overture 中增加这个设置以方便各种路由器环境?

@qyb

This comment has been minimized.

Copy link
Contributor

qyb commented Jan 3, 2019

它已经说是环境变量了。。。不知道 Tomato 的 shell 是否支持这样来传递环境变量:SSL_CERT_DIR=/opt/ssl/certs yourpath/overture

@rampageX

This comment has been minimized.

Copy link
Author

rampageX commented Jan 3, 2019

@qyb 测试过可以这样:

export SSL_CERT_DIR=/opt/ssl/certs

@rampageX rampageX closed this Jan 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.