Dear Viktor Dukhovni ,
You are right , but kindly advice how can I get the TLSA record ? I
used
openssl x509 -in xn----ymcadjpj1at5o.xn--wgbh1c.registry.crt -outform DER |
openssl sha256
(stdin)= 1a70df05ac43318ab35a16542a8736d077ace3126fafe00508edd7484f293c6c
And got what I did add to zone file.
Thnx
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf
Of Viktor Dukhovni
Sent: Tuesday, July 14, 2015 6:58 AM
To: [email protected]
Subject: Re: TLSA Validation Failed
On Mon, Jul 13, 2015 at 09:04:34PM +0000, Abdelmeniem Tharwat wrote:
> And when I try to execute dig @8.8.8.8
> _443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c +dnssec TLSA, I got the TLSA record
> that is identical to the hash from crt file.
Both are wrong.
> The TLSA validator said that :-
>
> [cid:[email protected]]
>
> any advice !!!
The correct "3 0 1" TLSA for your server is:
_443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c. TLSA 3 0 1
AD562370D03DFBE4EDFC4780A2367C8FD086D8A00D53A80D8EC6A8909D50DA9A
What you've published is:
_443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c. TLSA 3 0 1
1A70DF05AC43318AB35A16542A8736D077ACE3126FAFE00508EDD7484F293C6C
No idea what that is the digest of, but it is not the digest of the DER form of
the server certificate.
--
Viktor.
