Cloudflare Gateway DoH issue "x509: certificate signed by unknown authority" using DNSCrypt-proxy

my issues in repo dnscrypt-proxy Cloudflare Gateway DoH issue "x509: certificate signed by unknown authority" · Issue #1713 · DNSCrypt/dnscrypt-proxy · GitHub

Problem with TLS configuration still exists?

When I use DoH cloudflare-gateway.com in dnscrypt-proxy I get x509: certificate signed by unknown authority

[2021-05-12 17:23:57] [NOTICE] dnscrypt-proxy 2.0.45
[2021-05-12 17:23:57] [NOTICE] Network connectivity detected
[2021-05-12 17:23:57] [NOTICE] Now listening to 127.0.0.1:15353 [UDP]
[2021-05-12 17:23:57] [NOTICE] Now listening to 127.0.0.1:15353 [TCP]
[2021-05-12 17:23:57] [NOTICE] Source [relays] loaded
[2021-05-12 17:23:57] [NOTICE] Source [public-resolvers] loaded
[2021-05-12 17:23:57] [NOTICE] Firefox workaround initialized
[2021-05-12 17:23:57] [ERROR] Get "https://**URL**.cloudflare-gateway.com/dns-query?dns=yv4BAAABAAAAAAABAAACAAEAACkQAAAAAAAAFAAMABAGAcXoYjgdUAa8hWYAdbxv": x509: certificate signed by unknown authority
[2021-05-12 17:23:57] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable
  

In Сurl on the same machine with the same **URL** there are no similar problems

>curl -v --doh-url https://**URL**.cloudflare-gateway.com/dns-query https://api.ipify.org
* Found bundle for host **URL**.cloudflare-gateway.com: 0x19c7070ec70 [serially]
* Server doesn't support multiplex (yet)
*   Trying 162.159.36.20:443...
* Hostname '**URL**.cloudflare-gateway.com' was found in DNS cache
*   Trying 162.159.36.20:443...
* Connected to **URL**.cloudflare-gateway.com (162.159.36.20) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: D:\download chrome\curl-7.76.1-win64-mingw\bin\curl-ca-bundle.crt
*  CApath: none
* Connected to **URL**.cloudflare-gateway.com (162.159.36.20) port 443 (#2)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: D:\download chrome\curl-7.76.1-win64-mingw\bin\curl-ca-bundle.crt
*  CApath: none
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Aug  4 00:00:00 2020 GMT
*  expire date: Aug  4 12:00:00 2021 GMT
*  subjectAltName: host "**URL**.cloudflare-gateway.com" matched cert's "*.cloudflare-gateway.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x19c70708b90)
> POST /dns-query HTTP/2
Host: **URL**.cloudflare-gateway.com
accept: */*
content-type: application/dns-message
content-length: 31

* We are completely uploaded and fine
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Aug  4 00:00:00 2020 GMT
*  expire date: Aug  4 12:00:00 2021 GMT
*  subjectAltName: host "**URL**.cloudflare-gateway.com" matched cert's "*.cloudflare-gateway.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x19c707077a0)
> POST /dns-query HTTP/2
Host: **URL**.cloudflare-gateway.com
accept: */*
content-type: application/dns-message
content-length: 31

* old SSL session ID is stale, removing
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
* We are completely uploaded and fine
< HTTP/2 200
< date: Wed, 12 May 2021 12:30:52 GMT
< content-type: application/dns-message
< content-length: 208
< access-control-allow-origin: *
< cf-request-id: 0a02280fea00008ee313b82000000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 64e3a92c98928ee3-DME
<
* Connection #2 to host **URL**.cloudflare-gateway.com left intact
* a DOH request is completed, 1 to go
< HTTP/2 200
< date: Wed, 12 May 2021 12:30:52 GMT
< content-type: application/dns-message
< content-length: 257
< access-control-allow-origin: *
< cf-request-id: 0a0228101500003a7d3917b000000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 64e3a92ce8ab3a7d-DME
<
* Connection #1 to host **URL**.cloudflare-gateway.com left intact
* a DOH request is completed, 0 to go
* DOH Host name: api.ipify.org
* TTL: 7 seconds
* DOH A: 50.19.96.218
* DOH A: 54.225.165.85
* DOH A: 23.21.252.4
* DOH A: 50.19.216.111
* DOH A: 54.225.157.230
* DOH A: 54.243.154.178
* DOH A: 50.16.249.42
* DOH A: 54.221.236.13
* CNAME: nagano-19599.herokussl.com
* CNAME: elb097307-934924932.us-east-1.elb.amazonaws.com
* CNAME: nagano-19599.herokussl.com
* CNAME: elb097307-934924932.us-east-1.elb.amazonaws.com
*   Trying 50.19.96.218:443...
* Connected to api.ipify.org (50.19.96.218) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: D:\download chrome\curl-7.76.1-win64-mingw\bin\curl-ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.ipify.org
*  start date: Jan 19 00:00:00 2021 GMT
*  expire date: Feb 19 23:59:59 2022 GMT
*  subjectAltName: host "api.ipify.org" matched cert's "*.ipify.org"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: api.ipify.org
> User-Agent: curl/7.76.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: Cowboy
< Connection: keep-alive
< Content-Type: text/plain
< Vary: Origin
< Date: Wed, 12 May 2021 12:30:53 GMT
< Content-Length: 14
< Via: 1.1 vegur
<
46.146.226.121* Connection #0 to host api.ipify.org left intact

It sounds like the issue below. Theirs resolved, but if yours still isn’t working, please open a ticket and post the ticket # here.

very similar, but it doesn’t seem to be. (didn’t notice a problem for myself)

my problem solved 05.14 01:48 utc+5

[2021-05-13 18:05:03] [ERROR] Get "https://-url-.cloudflare-gateway.com/dns-query?dns=yv4BAAABAAAAAAABAAACAAEAACkQAAAAAAAAFAAMABCJZro_IiXPUV2HQSAkTz5U": x509: certificate signed by unknown authority
[2021-05-13 18:05:03] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable
[2021-05-14 01:48:31] [INFO] [test-gateway] TLS version: 304 - Protocol: h2 - Cipher suite: 4865
[2021-05-14 01:48:31] [NOTICE] [test-gateway] OK (DoH) - rtt: 33ms
[2021-05-14 01:48:31] [NOTICE] Server with the lowest initial latency: test-gateway (rtt: 33ms)
[2021-05-14 05:48:31] [NOTICE] Server with the lowest initial latency: test-gateway (rtt: 33ms)

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.