TLS config with concatenated certificate + intermediary fails to calculate RFC7858 key-pin
Hello,
I followed the guide for generating private key and signing it using Letsencrypt to use DNS over TLS.
In the end I have my private key and its certificate (0000_cert.pem) + intermediary certificate (0000_chain.pem). When I use the concatenated certificate (cert+chain), which is the one I need in order to be verified properly by kdig
for example, loading fails with following error:
Jun 03 12:13:35 anydns1 kresd[17220]: [tls] RFC 7858 OOB key-pin (0): pin-sha256="eWSVKY0R69Z6EnNkSnRr/5Cg+7vhrQXALXynzjVQVVc="
Jun 03 12:13:35 anydns1 kresd[17220]: [tls] could not calculate RFC 7858 OOB key-pin from cert 1 (-67) GNUTLS_E_ASN1_ELEMENT_NOT_FOUND
Jun 03 12:13:35 anydns1 kresd[17220]: *** Error in `/usr/sbin/kresd': double free or corruption (out): 0x000055a8d8ebabf0 ***
Jun 03 12:13:35 anydns1 kernel: kresd[17220]: segfault at 100000001 ip 00007fc9fc3edccb sp 00007fff9f69ab70 error 4 in libgcc_s.so.1[7fc9fc3df000+16000]
Jun 03 12:13:35 anydns1 systemd[1]: kresd@1.service: Main process exited, code=killed, status=11/SEGV
Using certificate without intermediary works fine, but openssl s_client
and also verification with kdig
finds it unverified.
My config is simple:
-- vim:syntax=lua:
-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
-- Load useful modules
modules = {
'policy', -- Block queries to local zones/bad sites
'hints', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
}
-- See kresd.systemd(7) about configuring network interfaces when using systemd
-- Listen on all IPv4 and IPv6 addresses on port 853 over TLS
net.tls("/etc/pki/knot-resolver-cert.pem", "/etc/pki/knot-resolver-key.pem")
for name, addr_list in pairs(net.interfaces()) do
net.listen(addr_list, 853, { tls = true })
end
net.ipv4 = true
net.ipv6 = true
-- Drop root privileges
-- Unprivileged configuration
user('knot-resolver', 'knot-resolver')
-- Auto-maintain root TA
trust_anchors.file = 'root.keys'
policy.add(policy.all(policy.FORWARD('127.0.0.1')))
-- Cache size
cache.size = 256 * MB
Version used knot-resolver 2.3.0-1 with Ubuntu 16.
Is this some kind of bug, or a misconfiguration with certificates? Also dnsprivacy has note that certificates should be concatenated.