Thanks a lot vector.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Viktor Dukhovni Sent: Tuesday, July 14, 2015 7:08 PM To: [email protected] Subject: Re: TLSA Validation Failed On Tue, Jul 14, 2015 at 08:37:10AM +0000, Abdelmeniem Tharwat wrote: > > > And when I try to execute dig @8.8.8.8 > > > _443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c +dnssec TLSA, I got the TLSA > > > record that is identical to the hash from crt file. > > > > Both are wrong. > > > > The correct "3 0 1" TLSA for your server is: > > > > _443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c. TLSA 3 0 1 > > AD562370D03DFBE4EDFC4780A2367C8FD086D8A00D53A80D8EC6A8909D50DA9A > > > > What you've published is: > > > > _443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c. TLSA 3 0 1 > > 1A70DF05AC43318AB35A16542A8736D077ACE3126FAFE00508EDD7484F293C6C > > > > No idea what that is the digest of, but it is not the digest of the > > DER form of the server certificate. > You are right, but kindly advice how can I get the TLSA record? I > used > > openssl x509 -in xn----ymcadjpj1at5o.xn--wgbh1c.registry.crt -outform DER | > openssl sha256 > (stdin)= > 1a70df05ac43318ab35a16542a8736d077ace3126fafe00508edd7484f293c6c > > And got what I did add to zone file. Then the file you used is not the certificate used by the actual Internet-facing webserver. Perhaps you forgot to reconfigure the server. Also, its self-signed certificate has a rather short lifetime, I would suggest a lifetime of 10 years or more, which is invalidated by updating the TLSA record, not the underlying expiration. You might find my "tlsagen" bash script handy. $ ~/tlsagen xn----ymcadjpj1at5o.xn--wgbh1c.pem xn----ymcadjpj1at5o.xn--wgbh1c:443 3 0 1 _443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c. IN TLSA 3 0 1 AD562370D03DFBE4EDFC4780A2367C8FD086D8A00D53A80D8EC6A8909D50DA9A -- Viktor. $ openssl x509 -subject -issuer -dates -sha256 -fingerprint -in xn----ymcadjpj1at5o.xn--wgbh1c.pem subject= /C=/ST=/L=/O=/OU=/CN=xn----ymcadjpj1at5o.xn--wgbh1c issuer= /C=/ST=/L=/O=/OU=/CN=xn----ymcadjpj1at5o.xn--wgbh1c notBefore=Jul 13 16:06:16 2015 GMT notAfter=Oct 11 16:06:16 2015 GMT SHA256 Fingerprint=AD:56:23:70:D0:3D:FB:E4:ED:FC:47:80:A2:36:7C:8F:D0:86:D8:A0:0D:53:A8:0D:8E:C6:A8:90:9D:50:DA:9A -----BEGIN CERTIFICATE----- MIIDXzCCAkegAwIBAgIEC51NfTANBgkqhkiG9w0BAQsFADBgMQkwBwYDVQQGEwAx CTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYDVQQKEwAxCTAHBgNVBAsTADEnMCUG A1UEAxMeeG4tLS0teW1jYWRqcGoxYXQ1by54bi0td2diaDFjMB4XDTE1MDcxMzE2 MDYxNloXDTE1MTAxMTE2MDYxNlowYDEJMAcGA1UEBhMAMQkwBwYDVQQIEwAxCTAH BgNVBAcTADEJMAcGA1UEChMAMQkwBwYDVQQLEwAxJzAlBgNVBAMTHnhuLS0tLXlt Y2FkanBqMWF0NW8ueG4tLXdnYmgxYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKa1ySMr8Zo3GPRS0p52r+h81Kuk9gk0FLtF8rpOU7MX1FJysUI4TU5D XqGqhXfli+1gBScVKa77KdUyTc1kZMD5auSgDGZqjC7UQgXPkNgrr/pC577TAAqP qoRgBzjELv6gdVDAbepxc8Sc4IBKkJ4tOMwqwm7cant4/OKex+/0D/B6NuOPim2R hzTbZ4ZwpvCjgvgEXygbGlaEAg5+nf2exok05l5hVsmJjI0V4dPlSHWSIB+Y2JwG uS5qudZPm8FahK+btZtFEcQCthsOBwfxgdxB3P9AkbF7IqRCThFtnpZ8Lk6reQpi Kk41dwKojbRCICPd1rBtyZvwo4AnofMCAwEAAaMhMB8wHQYDVR0OBBYEFHBs6CPM wQFwfvk7SNmZIbeCANwiMA0GCSqGSIb3DQEBCwUAA4IBAQBWKRRa1MbeFUeBvljN ISyH0J08Ca3MRn1PMC/qTZy2hc599mSnanHNiaO19PV7KwCqWuw7tkh/v4vpCgfS 3xYcyhBrakqjNenjBNE2Y9FSjg+mscopK4Nx0mnz9cXzWFH6FQ3zbFSomoJHmBKK yvW0t9l0LGyhLUp7gLrmFNSJ2Fh5CjJbX/zFxaFk5yMToFVOvNakL3Low+tcCaFL 8FfgGpAUJMlYcP54XVoC22N1QLIaJRN6+174xdIX9CGHM7bPiNMBTWY9wCZwQ+Tu BXBpup6UrH+A4ikdAV+H2HKUwtLOtywjxcpKEPAOmAaGsnt0JwlTNJyyupEO6dCf 3xnY -----END CERTIFICATE-----
