On Tue, Jul 14, 2015 at 08:37:10AM +0000, Abdelmeniem Tharwat wrote:
And when I try to execute dig @8.8.8.8 _443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c +dnssec TLSA,
I got the TLSA record that is identical to the hash from crt file.
Both are wrong.
The correct "3 0 1" TLSA for your server is:
_443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c. TLSA 3 0 1 AD562370D03DFBE4EDFC4780A2367C8FD086D8A00D53A80D8EC6A8909D50DA9A
What you've published is:
_443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c. TLSA 3 0 1 1A70DF05AC43318AB35A16542A8736D077ACE3126FAFE00508EDD7484F293C6C
No idea what that is the digest of, but it is not the digest of the DER
form of the server certificate.
You are right, but kindly advice how can I get the TLSA record? I used
openssl x509 -in xn----ymcadjpj1at5o.xn--wgbh1c.registry.crt -outform DER |
openssl sha256
(stdin)= 1a70df05ac43318ab35a16542a8736d077ace3126fafe00508edd7484f293c6c
And got what I did add to zone file.
Then the file you used is not the certificate used by the actual
Internet-facing webserver. Perhaps you forgot to reconfigure the
server.
Also, its self-signed certificate has a rather short lifetime, I
would suggest a lifetime of 10 years or more, which is invalidated
by updating the TLSA record, not the underlying expiration.
You might find my "tlsagen" bash script handy.
$ ~/tlsagen xn----ymcadjpj1at5o.xn--wgbh1c.pem xn----ymcadjpj1at5o.xn--wgbh1c:443 3 0 1
_443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c. IN TLSA 3 0 1 AD562370D03DFBE4EDFC4780A2367C8FD086D8A00D53A80D8EC6A8909D50DA9A
--
Viktor.
$ openssl x509 -subject -issuer -dates -sha256 -fingerprint -in xn----ymcadjpj1at5o.xn--wgbh1c.pem
subject= /C=/ST=/L=/O=/OU=/CN=xn----ymcadjpj1at5o.xn--wgbh1c
issuer= /C=/ST=/L=/O=/OU=/CN=xn----ymcadjpj1at5o.xn--wgbh1c
notBefore=Jul 13 16:06:16 2015 GMT
notAfter=Oct 11 16:06:16 2015 GMT
SHA256 Fingerprint=AD:56:23:70:D0:3D:FB:E4:ED:FC:47:80:A2:36:7C:8F:D0:86:D8:A0:0D:53:A8:0D:8E:C6:A8:90:9D:50:DA:9A
-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgIEC51NfTANBgkqhkiG9w0BAQsFADBgMQkwBwYDVQQGEwAx
CTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYDVQQKEwAxCTAHBgNVBAsTADEnMCUG
A1UEAxMeeG4tLS0teW1jYWRqcGoxYXQ1by54bi0td2diaDFjMB4XDTE1MDcxMzE2
MDYxNloXDTE1MTAxMTE2MDYxNlowYDEJMAcGA1UEBhMAMQkwBwYDVQQIEwAxCTAH
BgNVBAcTADEJMAcGA1UEChMAMQkwBwYDVQQLEwAxJzAlBgNVBAMTHnhuLS0tLXlt
Y2FkanBqMWF0NW8ueG4tLXdnYmgxYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKa1ySMr8Zo3GPRS0p52r+h81Kuk9gk0FLtF8rpOU7MX1FJysUI4TU5D
XqGqhXfli+1gBScVKa77KdUyTc1kZMD5auSgDGZqjC7UQgXPkNgrr/pC577TAAqP
qoRgBzjELv6gdVDAbepxc8Sc4IBKkJ4tOMwqwm7cant4/OKex+/0D/B6NuOPim2R
hzTbZ4ZwpvCjgvgEXygbGlaEAg5+nf2exok05l5hVsmJjI0V4dPlSHWSIB+Y2JwG
uS5qudZPm8FahK+btZtFEcQCthsOBwfxgdxB3P9AkbF7IqRCThFtnpZ8Lk6reQpi
Kk41dwKojbRCICPd1rBtyZvwo4AnofMCAwEAAaMhMB8wHQYDVR0OBBYEFHBs6CPM
wQFwfvk7SNmZIbeCANwiMA0GCSqGSIb3DQEBCwUAA4IBAQBWKRRa1MbeFUeBvljN
ISyH0J08Ca3MRn1PMC/qTZy2hc599mSnanHNiaO19PV7KwCqWuw7tkh/v4vpCgfS
3xYcyhBrakqjNenjBNE2Y9FSjg+mscopK4Nx0mnz9cXzWFH6FQ3zbFSomoJHmBKK
yvW0t9l0LGyhLUp7gLrmFNSJ2Fh5CjJbX/zFxaFk5yMToFVOvNakL3Low+tcCaFL
8FfgGpAUJMlYcP54XVoC22N1QLIaJRN6+174xdIX9CGHM7bPiNMBTWY9wCZwQ+Tu
BXBpup6UrH+A4ikdAV+H2HKUwtLOtywjxcpKEPAOmAaGsnt0JwlTNJyyupEO6dCf
3xnY
-----END CERTIFICATE-----
