Cloudflare DNS over Tor certificate fails since April 29

dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion seems to be missing:

https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query?dns=yv4BAAABAAAAAAABAAACAAEAACkQAAAAAAAAFAAMABCZf5pq6FXqodAvmI1vpSSF]: [Get "https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query?dns=yv4BAAABAAAAAAABAAACAAEAACkQAAAAAAAAFAAMABCZf5pq6FXqodAvmI1vpSSF": x509: certificate is valid for, *,, not dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion

This is normal, the .onion address is only used for routing purposes and does not need to be included in the certificate as the encryption handshake uses the original domain name.

1 Like

Not really. Connecting to the regular name via an exit node remains fine, but when connecting to the onion service, there is no “original domain name”.

The dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion certificate has been served for the past 2 years. Has the service been silently phased out?

1 Like

Shoot, sorry. I was thinking about http altsvc, but this doesn’t apply to Cloudflare’s resolver.

Hi, we’re tracking this internally.


Hit the same thing here. looks like there is no obvious way to bypass this certificate check.

Since the topic is open… encryption is an integral part of the .onion name itself and essentially makes any TLS cert useful only for brand recognition and bragging rights as they are rare in onionland. That being said, does CloudFlare ever plan on offering TOR hosting? It would be a great service for sites which are more concerned with offering their visitors an anonymized route to use than having a site routing via TOR for its own privacy concerns.

Hi all, the certificate has been replaced and DNS over Tor is back.

To obtain a certificate, a domain has to be validated by the CA. Unfortunately due to the special requirements for .onion TLDs, this required some manual steps. There is some room for improvement in that area.