I was just following this. for DoT on linux.
very old unbound configuration of mine… back when i ran dual servers to obscufate. I dont do that anymore
Anyways your problem isnt the DoT resolver… its whatever comes after TLS termination
So whats happening here is I send out a DoT request… it hits your server… handshake completes… cert is fine… It queries from there to the DNS server however right here is where it fails and gives no answer
Contrasting with mine
Id say start your debug process here and above @Argone
Im off for some excercise
btw if thats your forward zone. you are using my pihole so I wouldnt do that
yours should be IPs@port#TLD
okay
Also CHECK your intermediate cert… LE’s stuff often breaks DoT because it has a unsigned loop chain for its intermediate… because they had this huge debacle over it. Im not sure if they fixed it but I bought a cert from Namecheap and never looked back
If you can sign up for their program and move to X2-E1. X3-R3 broke af for sockets like DoT when i was running LE before
Disclaimer: I have no idea if this is still the case
Go to one of his self hosted sites and see the chain of certificates.
yeah let me do that
@Argone can you give me a page you self host in DMs. I know you dont want to expose your page
It is gonna be a minute. I am restoring from a backup for linode. Somehow grub got fucked.
Yeah I found that out before you said it
im gonna go excercise then
You can check your certificate chain and see if your in that shitty chain. If you are no real choice but to buy a cert. Ive loved buying mine. @Novasty knows some providers.
To quote LE
“On September 30 2021, there will be a small change in how older browsers and devices trust Let’s Encrypt certificates. If you run a typical website, you won’t notice a difference - the vast majority of your visitors will still accept your Let’s Encrypt certificate. If you provide an API or have to support IoT devices, you might have to pay a little more attention to the change.”
Aka older browsers and sockets are fucked… sorry RIP… you have free… free comes free of support. Thats how I translate it
god it is going to be a minute. I am going to have to reconnect all of the wireguard connections as i recently changed the keys for all the peers.
Im nearly certain this might be the problem. Your issues on the DoT and your DNS are all backend not front end
BTW @Argone I know you like learning but just going to throw it out there… There is a simpelr more headache free route if your not experienced in automating these thigns
Buy a synology… they are good. (truenas is too but harder)… I mean whats not to love about it… Get it… Set it… Forget it… something bonks itself to hell… and the box breaks… chuck the drives in another synology… profit
It keeps it seperate of your desktop too and you can avoid dual boot or using linux as your primary on a shared machine.
Ehhh, I am using proxmox and like it. I am learning. I feel accomplished once I get this stuff done.
You have to start somwhere.
I am just providing options liek I do for everyone. Anyways ill be back later
also here is the form to switch over to the E cert for LE
Because you are affected by it
Also you might want to fix this (I have guides on it. Its not urgent)
That trust store cert messes with Apple and Androids DoT resolution as an FYI. It often just fails to resolve because of that in the chain. Now you can remove that from the trust store but its still reacquired on connect
I got a wildcard cert now.
no i just copied that. to show you that i followed that tutorial. I have my settings.