Use case : This is a peculiar use case. I want to run dns-over-tls servers on
fly.io and let fly handle tls termination at edge and app handle dns resolution.
It works on every clients except on Android while using private dns feature.
DNS over TLS on Android breaks with the default trust chain.
DNS over TLS on Android only works with the trust chain that consists of
only valid certificates.
Because fly issued letsencrypt certificates default chain consist of -
End-entity certificate (aka leaf certificate), signed by R3
R3, signed by ISRG Root X1
ISRG Root X1, signed by DST Root CA X3
When you include “ISRG Root X1, signed by DST Root CA X3” in default chain, dns over TLS on Android fails to verify it.
You can circumvent this problem by using alternative chain by passing
--preferred-chain "ISRG Root X1" to certbort or acme clients and the chain issued be like -
End-entity certificate, signed by R3
R3, signed by ISRG Root X1
More on this topic -
Hi there, Your server is correctly serving Let's Encrypt's recommended certificate chain, which looks like this: tirtadns.tirtagt.xyz < R3 < ISRG Root X1 < DST Root CA X3 It's that last certificate (DST Root) that has recently expired,...
Hi. I'm hosting a DoT-Server on ubuntu. Since today, almost 3 Minutes after the X3-expiration Android won't connect to that DoT-Server anymore. This also happens with dot1.applied-privacy.net (a public DoT-Server using LE for the TLS-Cert). This...
Reading time: 6 mins 🕑
Likes: 43 ❤
Oh, cool idea! We’re always interested in hearing more about what people are trying to build on our platform. Do you have this app running on our platform right now?
In any case, thank you for bringing this up, and for taking the time to write up a thorough report of the problem! I’ll be sure to surface this to the rest of our team
I’ll have this running up in couple of hours and ping you here.
@eli , it is up and running now. App name is
morning-bird-5848. Easiest way to check is through
Do a Query or any other client you prefer
Neat, thank you for sending that over! I’ve made sure to share the specifics with the rest of the team as well
(As an aside: thanks also for the link to the getdns api, which likewise looks super useful)
You might have already seen this, but after digging into this issue a bit,
I can see that this fix to Android did get released after all, in version 11. I hope that this is at least slightly better news!
On the topic of additional features for
fly certs, there’s been some interest from the community in
BYO certs that you might find interesting, since being able to import your own certificate might be a tolerable workaround
@eli, any update on this?
We run DoT on Fly and to make it work with Android 10 and lower, we resort to importing ZeroSSL certs and terminating TLS ourselves.
Yup, for both DoT & DoH I do my own termination with letsencrypt certificates