hi. I have hosted adguard server behind traefik proxy.
when i have tried to use DOH on chrome i was getting Please verify that this is a valid provider or try again later.
later i have realised traefik serving default cert over 853
kdig -d @mydomain.tld +tls-ca +tls-host=mydomain.tld example.com ;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(mydomain.tld), port(853), protocol(TCP) ;; DEBUG: TLS, imported 137 system certificates ;; DEBUG: TLS, received certificate hierarchy: ;; DEBUG: #1, CN=TRAEFIK DEFAULT CERT ;; DEBUG: SHA-256 PIN: Lhw7SUI7h6skkjhdfaskjHDSUysdhsojdkdhdmnf7y+lyg= ;; DEBUG: TLS, skipping certificate PIN check ;; DEBUG: TLS, The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. ;; WARNING: TLS, handshake failed (Error in the certificate.) ;; ERROR: failed to query server mydomain.tld@853(TCP)
i am already having wildcard certificate from letsencrypt and its working fine over browser.
openssl s_client -showcerts -connect mydomain.tld:853 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = mydomain.tld verify return:1
i couldn't understand the issue here . why kdig reporting i am having treafik default cert and openssl reports i have valid cert. and chrome secure dns also reports i dont have valid certs.
i have tried overriding tls default cert with pem file still it doesnt works for me. It would be better if someone could help me out here.