Hi,
I have configured DOH and it works until I enable certificate verification. “handshake failed”
Where can I download a certificate for cloudflare? Or what extra things do I need to do for setup?
I tried to download the certificate from 1.1.1.1, https://1.1.1.3/dns-query and nothing works.
You’ll need at least this root CA: DigiCert Global Root G2, see https://www.ssllabs.com/ssltest/analyze.html?d=family.cloudflare%2ddns.com&s=1.1.1.3&latest
You have few choices to be able to enable “Verify DoH Certificate” when using family.cloudflare-dns.com as DoH provider:
-
Upgrade to 7.19 (currently available as 7.19rc3). This version has a built-in list of root CA that includes DigiCert Global Root G2. After the upgrade you’ll need to turn on System → Certificates → Settings → Trust Built In Anchors (or run /certificate/settings/set builtin-trust-anchors=trusted)
-
Stay with the current stable version, and if you have plenty of internal storage left on your router, download the whole list of common root CA from CCADB at https://www.ccadb.org/resources, select and download PEM of Root Certificates in Mozilla’s Root Store with the Websites (TLS/SSL) Trust Bit Enabled (TXT), upload it to the router and go to System → Certificates to import the file. As a plus, you’ll be able to use the fetch command with HTTPS URLS and check-certificate=yes too.
-
Stay with the current stable version, and if you are tight on available internal storage, only fetch and upload the CA certificate for DigiCert Global Root G2
Given that 7.19 is at rc3 and a stable version is probably near, I’d go with option 1. I’ve been running the RC versions of 7.19 without issues.