DANE Entry 2 1 1

Help
1

Hi !

I created 2 DANE entries for 2 hosts in my domain (port 25 and 143)
for host 1 the cert.pem is signed withe r10 and i created the 2 1 1 entry with

openssl x509 -in r10.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "_25._tcp.smtp TLSA 2 1 1", $NF}'

this is tested with Check a DANE TLS Service and its ok

The cert of host 2 is related to r11 and i created the 2 1 1 record the same way (using r11 instead of r11

openssl x509 -in r11.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "_143._tcp.imap TLSA 2 1 1", $NF}'

but the site says
DANE TLSA 2 1 1 [6ddac186..]: FAIL did not match any TA certificate

DANE Certificate Chain 0:

0 CN=imap.hoerst.net
CN=R11,O=Let's Encrypt,C=US

and the output of the above command is
6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7

I do not understand why for r10 it works and not for r11

Ciao Gerd

2

You are supposed to have all 10 TLSA records for R10-R14 and E5-E9 on both fqdns (open "backup" to find the rest: Chains of Trust - Let's Encrypt) because the intermediate will change without warning (10 to 11 and 5 to 6 randomly, and probably the others too).

5 Likes
3

The reason it fails is that you're not sending any intermediate on your IMAP port, but you are sending it on the SMTP port:

openssl s_client -connect imap.hoerst.net:143 -starttls imap
Connecting to 2a0a:4cc0:c0:33c:741d:20ff:fe2c:108e
CONNECTED(000001C8)
depth=0 CN=imap.hoerst.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=imap.hoerst.net
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN=imap.hoerst.net
verify return:1
---
Certificate chain
 0 s:CN=imap.hoerst.net
   i:C=US, O=Let's Encrypt, CN=R11
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec  6 06:39:36 2024 GMT; NotAfter: Mar  6 06:39:35 2025 GMT
---

vs SMTP:

openssl s_client -connect smtp.hoerst.net:25 -starttls smtp
Connecting to 2a0a:4cc0:c0:33c:741d:20ff:fe2c:108e
CONNECTED(000001C8)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=R10
verify return:1
depth=0 CN=smtp.hoerst.net
verify return:1
---
Certificate chain
 0 s:CN=smtp.hoerst.net
   i:C=US, O=Let's Encrypt, CN=R10
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec  6 06:39:15 2024 GMT; NotAfter: Mar  6 06:39:14 2025 GMT
 1 s:C=US, O=Let's Encrypt, CN=R10
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---

You always need to send the intermediate(s) when using DANE-TA, as many clients won't be able to find it otherwise. Your DANE-TA only anchors the certificate's SPKI hash, but to verify that a client needs to see the certificate.

Also, as already mentioned: You need to anchor all intermediates used by Let's Encrypt - issuance will rotate randomly, and your DANE setup is bound to break lots of times otherwise.

6 Likes
4

Hi !

4get your tests... i meanwhile tried some things around.... i mentioned that when i tried with the actual 2 1 1 entries for r10 and r11 the test will fail with them (actual it is like it should and it doesnt work (on the 3 1 1 entry its ok)
Now i have in DNS 3 1 1 and three 2 1 1 entries (r10/r11/r1)

Ciao Gerd

5

You should know that DANE isn't mandatory.

You need to keep those up to date, and if you're sure you'll only get a RSA cert, use R10, R11, R12, R13, R14. Not sure what r1 is.

3 Likes
6

Hi !

Yes i know , but it does not work with R10 or R11 at all (R12,13,14 are only worst case)

Ciao Gerd

7

Hi !

Now i tried also with R10 and R11 but

Checking imap.hoerst.net 2a0a:4cc0:c0:33c:741d:20ff:fe2c:108e port 143

DANE TLSA 3 1 1 [cd54bc6c..]: OK matched EE certificate
DANE TLSA 2 1 1 [6ddac186..]: FAIL did not match any TA certificate
DANE TLSA 2 1 1 [2bbad93a..]: FAIL did not match any TA certificate

but the cert is from

Peer Certificate Chain:

0 CN=imap.hoerst.net
CN=R11,O=Let's Encrypt,C=US
so the "6ddac ..." entry should work

8

I'm only looking at smtp because using DANE on imap is kinda pointless, I know of no clients using it. I assume the issue is with the incomplete chain, as @Nummer378 told you above.

On smtp it works fine, you just have to add three more records for R12, 13 and 14

## Checking smtp.hoerst.net 152.53.129.213 port 25
DANE TLSA 2 1 1 [2bbad93a..]: OK matched TA certificate at depth 1
DANE TLSA 2 1 1 [6ddac186..]: FAIL did not match any TA certificate
DANE TLSA 3 1 1 [038f8849..]: OK matched EE certificate
1 Like
9

Hi !

OK... in Imap i have it now.... i will change 443 and 25 maybe i remove imap (but if nobody is
using it, why you can check it on the site ?

Ciao Gerd

1 Like
10

DANE's history is complicated. The idea was for it to be widely adopted, but that never happened except for SMTP.

1 Like
12

A script that works perfectly is posted here: Making a DANE TLSA to work with LE - #8 by ietf-dane

It will give you all combinations of '3' and '2' TLSA records.
Just put it in a file and make it executable. It is from [ ietf-dane ] aka Viktor Dukhovni

13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.