Private DNS cannot connect when using Let's encrypt

Zeuxis  2021-11-06  Notes / Server / Caddy

Issue

the `DST Root CA X3` in the cert chain and it is expired, the device will not trust

Fix

  1. Add the preferred_chains option in the tls section, and set the value to smallest, and Don’t using root_common_name "ISRG Root X1", it will keep the DST Root CA X3 in the cert chain

    1
    2
    3
    4
    5
    6
    7
    8
    9
    your.dns-domain.com {
        tls {
            issuer acme {
                preferred_chains smallest
            }
        }

        respond "It's work!"
    }

  2. Stop the caddy server

    1
    service caddy stop

  3. Remove the related domain cert files

    1
    rm -rf /path/to/your/caddy/certs/data/*

  4. Start the caddy server

    1
    service caddy start

  5. Restart the custom domain name server (DNS) and make sure it is using the new issued certs

Others

  1. Check domain cert chain (openssl)

    1
    openssl s_client -showcerts -servername your.dns-domain.com -connect your.dns-domain.com:853

  2. Other tools

    1
    https://crt.sh/

References

  1. Let’s Encrypt and DNS over TLS Hell on Android
  2. Alternate certificate chain to support older OpenSSL version
  3. Proposal: 在 HTTPS 证书链中仅保留 ISRG Root X1 #221
© Copyright 2007 - 2023 by Zeuxis Lo.