==== Early Notice ====
All domains contained are having Client Request Logging enabled, if you do NOT want to share your public IP, please do not try to visit the domain/link.
==== End of Early Notice ====
Hi, I didn't notice that the Let's Encrypt DST Root CA X3 will expire at Sep 30 14:01:15 2021 GMT, which is exactly last night (Indonesian Time).
I run a custom poisoned DNS server so that I can poison my devices to avoid getting spammed with a inappropriate advertisement in my phone home launcher and notification bar.
Anything has been perfectly running fine over like 2-3 months, however last night without any changes done to my server, my phone refuses to connect into my DNS without a specific reason or warning.
For now, I temporarily disabled my phone Private DNS ( requires TLS ), and run the normal basic un-encrypted TCP connection so that I'm able to atleast have internet to check my server control panel.
To my surprise, my TirtaDNS panel has been reporting that a client (in this case my phone) are throwing a lot of ERR_SSL_SSLV3_ALERT_CERTIFICATE_EXPIRED, around 5.2k of such expired failures in the past night.
After reading a bit on ServerFault, it looks like Let's Encrypt root recently expired and most client should change into the new one, as my laptop and other of my devices did nicely.
When using browser on the phone with a bypass DNS options enabled, I can still access my site which means that my browser does already have the new Let's Encrypt new root certificate, however.... it looks like the Android Private DNS
feature seems to be not able to automatically switch.
At first, I thought it's my certificate that's expiring, but I had a automatic renewal configured already to run
certbot, well but I decided to renew a new certificate anyway as I was thinking it might solve the issue as the error reported by the phone are
ALERT_CERTIFICATE_EXPIRED, turns out it didn't.
So my question is, is there any version of the new
ISRG Root X1 and the
R3 certificate which we can install on the android trusted certificate list manually ?
I also just recently just enabled Nginx exposing on my panel, so that we can now try to access
https://tirtadns.tirtagt.xyz/ and it'll server the same certificate that the TirtaDNS uses.
I also try to let openssl connect and test the configuration by using :
openssl s_client -connect tirtadns.tirtagt.xyz:853 -servername tirtadns.tirtagt.xyz
- Note that DNS over TLS port is 853
and here's part of the output :
Certificate chain 0 s:CN = tirtadns.tirtagt.xyz i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3 subject=CN = tirtadns.tirtagt.xyz issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 4583 bytes and written 392 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---
which I believe means that the TirtaDNS is already serving the correct ISRG Root X1 and R3, but it's just my phone that didn't trust it.
My domain is: tirtadns.tirtagt.xyz
My phone is : Infinix Zero 8
Phone Version : Android 10 Build X687-H851D-Q-OP-210705v513
I ran this command: No Command
It produced this output: No command
My web server is (include version): Custom + Nginx v1.18.0
The operating system my web server runs on is (include version): Ubuntu 20.04
My hosting provider, if applicable, is: OVH VPS
I can login to a root shell on my machine (yes or no, or I don't know): Yes, Full Root
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, but actually no, I used my own customized panel
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): certbot 0.40.0