0

systemd-resolved fails to validate certificate

systemd 245 (245.4-4ubuntu3.16)

Configuring the  /etc/systemd/resolved.conf:

[Resolve]
DNS=45.90.28.0#dns1.nextdns.io
DNS=2a07:a8c0::#dns1.nextdns.io
DNS=45.90.30.0#dns2.nextdns.io
DNS=2a07:a8c1::#dns2.nextdns.io
DNSOverTLS=yes

Fails to connect and reports a failed certificate validation.

Other providers works as expected, I dig in and it looks like the SSL/TLS certificate does not contain the IP address that must appear in the subject alternative name.

As the configuration uses IP address my guess is that systemd-resolved should match with the certificate to validate it.

Some testing with other providers:

curl -v -I -X POST https://1.1.1.1 2>&1 | grep subjectAltName
*  subjectAltName: host "1.1.1.1" matched cert's IP address!
curl -v -I -X POST https://9.9.9.9 2>&1 | grep subjectAltName
*  subjectAltName: host "9.9.9.9" matched cert's IP address!
curl -v -I -X POST https://8.8.8.8 2>&1 | grep subjectAltName
*  subjectAltName: host "8.8.8.8" matched cert's IP address!

Now with NextDNS:

curl -v -I -X POST https://45.90.28.0 2>&1 | grep subjectAltName
*  subjectAltName does not match 45.90.28.0
curl -v -I -X POST https://45.90.28.49 2>&1 | grep subjectAltName
*  subjectAltName does not match 45.90.28.49

I do know that these are HTTPS calls, and that DoT uses 853, yet this is to illustrate that other providers that has in their certificates the IP address works correctly and NextDNS don't.

It *might* be a bug in systemd-resolved instead, yet to me it looks like NextDNS lacks the IP address in the subject alternative name of the certificates.

Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Like Follow
  • 2 mths agoLast active
  • 16Views
  • 1 Following