RE: XoT Testing: TLS peer certificate verification failed

2025-03-04 Thread Klaus Darilion via bind-users
> -Original Message- > From: Petr Špaček > Sent: Tuesday, March 4, 2025 6:11 PM > To: Robert Wagner ; Klaus Darilion > > Cc: bind-us...@isc.org > Subject: Re: XoT Testing: TLS peer certificate verification failed > > > I think I have solved the mistery: B

Re: XoT Testing: TLS peer certificate verification failed

2025-03-04 Thread Petr Špaček
I think I have solved the mistery: Bind (or openssl, who ever does the validation) requires Subject Alternative Name. Regardless if using the hostname or the IP address, they must be in the subject alternative name. When using self-signed certificates, it is probably best to put both in the SAN

Re: XoT Testing: TLS peer certificate verification failed

2025-03-04 Thread Robert Wagner
e=DNS:xot-test-primary.ops.nic.at,IP:193.46.106.51" regards Klaus From: bind-users On Behalf Of Klaus Darilion via bind-users Sent: Tuesday, March 4, 2025 11:31 AM To: Ondřej Surý Cc: bind-us...@isc.org Subject: RE: XoT Testing: TLS peer certificate verification failed In my case it shoul

RE: XoT Testing: TLS peer certificate verification failed

2025-03-04 Thread Klaus Darilion via bind-users
erations nic.at GmbH, Jakob-Haringer-Straße 8/V 5020 Salzburg, Austria From: Ondřej Surý mailto:ond...@isc.org>> Sent: Tuesday, March 4, 2025 10:05 AM To: Klaus Darilion mailto:klaus.daril...@nic.at>> Cc: bind-us...@isc.org<mailto:bind-us...@isc.org> Subject: Re: XoT Testing: TLS peer c

RE: XoT Testing: TLS peer certificate verification failed

2025-03-04 Thread Klaus Darilion via bind-users
From: Ondřej Surý Sent: Tuesday, March 4, 2025 10:05 AM To: Klaus Darilion Cc: bind-us...@isc.org Subject: Re: XoT Testing: TLS peer certificate verification failed Sounds like this: https://gitlab.isc.org/isc-projects/bind9/-/issues/3896 -- Ondřej Surý — ISC (He/Him) My working hours and your

RE: XoT Testing: TLS peer certificate verification failed

2025-03-04 Thread Klaus Darilion via bind-users
May it be, that the validation is just broken? Even when using dig, and explicitely use the hostname of the Primary (which uses its hostname in its certificate) in @... and tls-hostname, the verification fails due to hostname mismatch: # dig @xot-test-primary.ops.nic.at test.klaus +tls axfr +tl

Re: XoT Testing: TLS peer certificate verification failed

2025-03-04 Thread Ondřej Surý
Sounds like this: https://gitlab.isc.org/isc-projects/bind9/-/issues/3896--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.On 4. 3. 2025, at 10:01, Klaus Darilion via bind-users wrote:

Re: XoT Testing: TLS peer certificate verification failed

2025-02-27 Thread Robert Wagner
When validating a certificate, be sure to use the context of the DNS service... So, if your service runs under user BIND, you may need to su to BIND to test. This may help flush out issues where the ca.crt file was set so BIND could not read it. I don't know what happens when you set TLS to str