-
Amazon Deals - ToS - Warp
DNS over TLS issues
- Thread starter doineedto
- Start date
- Replies 18
- Views 3,694
To everyone who is facing this issue, I was able to resolve the issue. Find the details below:
The server where the cert is installed serves the certificate like this: yourserver.com < R3 < ISRG Root X1 < DST Root CA X3
Of this, the DST Root CA expired on 30th Sept 2021. As it turns out, Android DNS over TLS has a problem with this certificate being a part of the certificate chain. Let's Encrypt says that since another Root CA is provided after the expired one, devices should not pose any errors. This is correct and is working when you access the sites via a browser. Only the DoT subsystem on Android has issues with this.
This was done to maintain compatibility with older devices which did not include the ISRG Root CA.
If you are using only modern devices which include the ISRG Root CA and do not need to maintain compatibility for older devices, you can issue a certificate with a chain like this: yourserver.com < R3 < ISRG Root X1
To do this, you will need to update certbot to a version equal to or above 1.12.0 and then re-issue your certificate with the flag --preferred-chain "ISRG Root X1"
Please refer to the following post for details: Let's Encrypt Certificate is reported EXPIRED on Android 10 Private DNS Feature
TL;DR:
If DNS over TLS is not working on Android, follow these two steps:
1. Update certbot >= 1.12.0
2. Reissue the certificate with the flag: --preferred-chain "ISRG Root X1"
@mods: Since this issue is not specific to Airtel broadband, can this be moved to a general forum where it is easily discoverable?
The server where the cert is installed serves the certificate like this: yourserver.com < R3 < ISRG Root X1 < DST Root CA X3
Of this, the DST Root CA expired on 30th Sept 2021. As it turns out, Android DNS over TLS has a problem with this certificate being a part of the certificate chain. Let's Encrypt says that since another Root CA is provided after the expired one, devices should not pose any errors. This is correct and is working when you access the sites via a browser. Only the DoT subsystem on Android has issues with this.
This was done to maintain compatibility with older devices which did not include the ISRG Root CA.
If you are using only modern devices which include the ISRG Root CA and do not need to maintain compatibility for older devices, you can issue a certificate with a chain like this: yourserver.com < R3 < ISRG Root X1
To do this, you will need to update certbot to a version equal to or above 1.12.0 and then re-issue your certificate with the flag --preferred-chain "ISRG Root X1"
Please refer to the following post for details: Let's Encrypt Certificate is reported EXPIRED on Android 10 Private DNS Feature
TL;DR:
If DNS over TLS is not working on Android, follow these two steps:
1. Update certbot >= 1.12.0
2. Reissue the certificate with the flag: --preferred-chain "ISRG Root X1"
@mods: Since this issue is not specific to Airtel broadband, can this be moved to a general forum where it is easily discoverable?
Update regarding the dns.adguard.com DNS server:
Turns out that there were some issues with the network. I received a call from Airtel asking if I was facing any issues with my broadband connection. Upon inquiring, I found out that many people in my area were facing many different issues.
Post the call, the problem was resolved within 2 days. They must have fixed something from the backend.
Kudos to Airtel for such customer service. I have never seen any ISP calling the customer upfront to check if they are facing issues.
Turns out that there were some issues with the network. I received a call from Airtel asking if I was facing any issues with my broadband connection. Upon inquiring, I found out that many people in my area were facing many different issues.
Post the call, the problem was resolved within 2 days. They must have fixed something from the backend.
Kudos to Airtel for such customer service. I have never seen any ISP calling the customer upfront to check if they are facing issues.
Let's Encrypt and DNS over TLS Hell on Android
Issues with Android's Private DNS over TLS via Adguard or PiHole using Let's Encrypt TLS Certificates after the recent Root Certificate expiry.
ikarus.sg
