DoH server connection error

OlexandrBodin · November 11, 2023, 1:27pm

Hi, after setup DoH:
/tool fetch url=https://cacerts.digicert.com/DigiCertGl … CA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=””
/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static add address=1.1.1.1 name=cloudflare-dns.com
/ip dns set servers=””
/ip firewall nat add action=redirect chain=dstnat comment=”redirect dns-query to local DNS” dst-port=53 in-interface-list=!WAN protocol=udp

I run terminal command /log print
and has such answer “dns,error DoH server connection error: SSL: ssl: hostname validation failed (6)”
What’s wrong?

sas2k · November 11, 2023, 2:02pm

7.12?
There is a bug with crl param.
Despite it is unchecked in the gui, you should manually switch it off:
“/certificate/settings/set crl-use=no”

OlexandrBodin · November 11, 2023, 5:20pm

7.11.2
I turned off as you said via terminal command but no changes, still have message " dns,error DoH server connection error: SSL: ssl: host name validation failed (6) [ignoring repeated messages]"

sas2k · November 11, 2023, 7:50pm

Let’s try temporarily switch off cert validation:

verify-doh-cert**=no**

/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=no

The easiest way - uncheck checkbox via winbox gui.

OlexandrBodin · November 22, 2023, 2:08pm

I tried switch off DoH cert validation - messages about error Doh server connection disappeared, but temporarily until I’ll switch on cert validation

OlexandrBodin · November 22, 2023, 3:47pm

I was update to 7.12.1. and switched on DoH sert verification.
Now /log print terminal command has new text message:
"dns,error DoH server connection error: SSL: ssl: name verification failed for: “CN=dns.google”
What does it mean, all my net requests going via China servers and not verificated cause Google is banned in China?
Or some requests going via China servers not verificated?
Or something else?