Use case : This is a peculiar use case. I want to run dns-over-tls servers on fly.io and let fly handle tls termination at edge and app handle dns resolution.
It works on every clients except on Android while using private dns feature.
DNS over TLS on Android breaks with the default trust chain.
DNS over TLS on Android only works with the trust chain that consists of only valid certificates.
Because fly issued letsencrypt certificates default chain consist of -
End-entity certificate (aka leaf certificate), signed by R3
R3, signed by ISRG Root X1
ISRG Root X1, signed by DST Root CA X3
When you include “ISRG Root X1, signed by DST Root CA X3” in default chain, dns over TLS on Android fails to verify it.
You can circumvent this problem by using alternative chain by passing --preferred-chain "ISRG Root X1" to certbort or acme clients and the chain issued be like -
Oh, cool idea! We’re always interested in hearing more about what people are trying to build on our platform. Do you have this app running on our platform right now?
In any case, thank you for bringing this up, and for taking the time to write up a thorough report of the problem! I’ll be sure to surface this to the rest of our team
On the topic of additional features for fly certs, there’s been some interest from the community in BYO certs that you might find interesting, since being able to import your own certificate might be a tolerable workaround