Hello,
I'm working with a wildcard certificate[0] for a domain that I'm trying to add dane/tlsa records. There are a series of MX servers that use this certificate and I thought that I could put the specific name of the server into the TLSA record and that would work, but when I try to test that with one of the testers online, they fail to verify it, I think because there is no specific match to the name.
For example, I made these records using the certificate chain for the input to danetool:
danetool --tlsa-rr --host mx1.riseup.net --load-certificate ./wildcard_server_chain.pem --app-proto=smtp --ca --x509
_25._tcp.mx1.riseup.net. IN CNAME tlsa._mxdane.riseup.net. tlsa._mxdane.riseup.net. IN TLSA ( 02 00 01 3814e3eaf91e30451790697a98b1b5594cdbdfef4a73ef5a47ed33c556816645 )
But when I try to test that, I get:
################################################################# ### CHECKING MX HOST: mx1.riseup.net #################################################################
TLSA records found: 1 TLSA: 2 0 1 3814e3eaf91e30451790697a98b1b5594cdbdfef4a73ef5a47ed33c556816645
Connecting to IPv4 address: 198.252.153.129 port 25 recv: 220-mx1.riseup.net ESMTP (spam is not appreciated) recv: 220 mx1.riseup.net ESMTP (spam is not appreciated) send: EHLO cheetara.huque.com recv: 250-mx1.riseup.net recv: 250-PIPELINING recv: 250-SIZE 25600000 recv: 250-ETRN recv: 250-STARTTLS recv: 250-ENHANCEDSTATUSCODES recv: 250-8BITMIME recv: 250 DSN send: STARTTLS recv: 220 2.0.0 Ready to start TLS TLSv1.2 handshake succeeded. Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 Peer Certificate chain: 0 Subject CN: *.riseup.net Issuer CN: COMODO RSA Domain Validation Secure Server CA 1 Subject CN: COMODO RSA Domain Validation Secure Server CA Issuer CN: COMODO RSA Certification Authority 2 Subject CN: COMODO RSA Certification Authority Issuer CN: AddTrust External CA Root 3 Subject CN: AddTrust External CA Root Issuer CN: AddTrust External CA Root SAN dNSName: *.riseup.net SAN dNSName: riseup.net Error: peer authentication failed. rc=65 (No matching DANE TLSA records)
[2] Authentication failed for all (1) peers.
I suspect this is because the SAN dNSName does not specify mx1.riseup.net? I cannot find any specific details for how wildcards are handled in the RFCs.
Did I define the record incorrectly, or generate the hash over the wrong pieces? I thought maybe it was because I used the PEM encoded cert chain, but its not possible to generate a DER when the input is a multiple cert file.
Thanks for any help!
0. yes, I am aware of why wildcards are discouraged, but this is what I have to work with here.