Hi
I'm a volunteer for dns.digitale-gesellschaft.ch. Recently our entries were upgraded by c6b488c and the pinning from the intermediate CA was set to the cross-signed X2 root certificate with hash 8c5033973ffe4ff1ef0aa92984fc93281ba7a9278ef8bf641226b898d10d4e74.
It seems that Let's Encrypt decided to randomize the issuing CA and this makes following the guide DNSCrypt/doh-server harder.
We don't really have control over which exact issuer cert gets chosen. We can influence the root cert with the preferred-chain, but there could be different cert hashes in the chain depending on whether cross-signed certificates were used or not. The cross-signed certificates have the same key but a different TBS hash.
Hashing the X1 root certificate that we are currently using (3f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63) doesn't work with dnscrypt-proxy. It only tries to hash non-root certificates (maybe it already trusts the cross-signed X2 cert and doesn't go further up the chain?).
Would it make sense to update our stamps to contain all Let's Encrypt roots (or intermediates)? I can do the PR myself, but I'd like to know how this list deals with this challenge.
Best Regards,
maederm
Hi
I'm a volunteer for dns.digitale-gesellschaft.ch. Recently our entries were upgraded by c6b488c and the pinning from the intermediate CA was set to the cross-signed X2 root certificate with hash
8c5033973ffe4ff1ef0aa92984fc93281ba7a9278ef8bf641226b898d10d4e74.It seems that Let's Encrypt decided to randomize the issuing CA and this makes following the guide DNSCrypt/doh-server harder.
We don't really have control over which exact issuer cert gets chosen. We can influence the root cert with the
preferred-chain, but there could be different cert hashes in the chain depending on whether cross-signed certificates were used or not. The cross-signed certificates have the same key but a different TBS hash.Hashing the X1 root certificate that we are currently using (
3f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63) doesn't work withdnscrypt-proxy. It only tries to hash non-root certificates (maybe it already trusts the cross-signed X2 cert and doesn't go further up the chain?).Would it make sense to update our stamps to contain all Let's Encrypt roots (or intermediates)? I can do the PR myself, but I'd like to know how this list deals with this challenge.
Best Regards,
maederm