But, it is a bit out of date and the steps are manual in the GUI instead of automated with a script. Can someone help automate the remaining steps I need in the <> brackets?
/tool fetch url=https://curl.se/ca/cacert.pem
/certificate import file-name=cacert.pem passphrase=””
<ASKS FOR PASSWORD, NEED TO REMOVE THIS PROMPT>
Yes, because 1.1.1.1 cert already contain also the IP 1.1.1.1 as alternate name
For example https://one.one.one.one/dns-query do not work without standard server because first must resolve one.one.one.one with the standard DNS.
@kangarie: “no certificate validation” = any MITM can present fake certificate and then see or even modify everything you’re sending and receiving. If that’s your goal, fine, enjoy. But otherwise it’s better to have verification enabled.
(no static dns) and (certificate validation needed) → You need certificate validation
or
(no static dns) and (no certificate validation needed) → You dont need certificate validation
As other write. You should have normal DNS setup and working to make sure you use an URL without IP, so that you can use a Certificate with DoO
You can use the query url with ip address (“https://1.1.1.1/dns-query” ) and enable certificate verification. As the ip address is stored as alternative subject name inside the certificated this works. No static dns required, but you need to import the correct CA certificate (which is “DigiCert Global Root CA” for Cloudflare).