Hi GNUnet, Hi Christian, Le 03/10, Tanguy Le Carrour a écrit : > Le 03/09, Christian Grothoff a écrit : > > 2) try adding a TLSA record for gnunet.org to GNS, thereby avoiding > > the use of Letsencrypt and really directly verifying via GNS. > > I'll try this and let you know, thanks!
So, I did my homework, used a generator [1][] and ended up with this: ``` _443._tcp.gnunet.org. IN TLSA 3 1 1 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939 ``` [1]: https://www.huque.com/bin/gen_tlsa So I now have: ``` $ gnunet-namestore -z myself -a -e "1 d" -p -t TLSA -n gnunet -V "3 1 1 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939" $ gnunet-gns --type ANY --lookup gnunet.myself gnunet.myself: Got `TLSA' record: 3 1 1 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939 Got `LEHO' record: gnunet.org Got `A' record: 131.159.74.67 ``` I didn't know where to put the `_443._tcp` part. `gnunet-namestore` complained about the name containing a `.`. There's something in the doc [2][] about `_port._proto.`, but it's for BOX records only. [2]: https://docs.gnunet.org/handbook/gnunet.html#BOX-1 Having done that, I still don't get much in the logs: ``` $ […]/lib/gnunet/libexec/gnunet-gns-proxy --log DEBUG Mar 13 18:15:11-622297 gnunet-gns-proxy-3803 ERROR Download curl gnunet.org/ failed: SSL peer certificate or SSH remote key was not OK ``` Is my TLSA record correct? Is there something else I can try? Regards -- Tanguy
