ERROR: tls: failed to verify certificate: x509: certificate signed by unknown authority

[verbal666]

Hello.
Maybe it's a FAQ, but reading around, i can't get rid of it 🥲🥲🥲

[NOTICE] dnscrypt-proxy 2.0.45
[NOTICE] Network connectivity detected
[NOTICE] Firefox workaround initialized
[NOTICE] Loading the set of forwarding rules from [/etc/dnscrypt-proxy/forwarding-rules.txt]
[ERROR] Get "https://dns.cloudflare.com/dns-query?dns=yv4BAAABAAAAAAABAAACAAEAACkQAAAAAAAAFAAMABAw4_qOVXYR61hwJRHFjoWE": tls: failed to verify certificate: x509: certificate signed by unknown authority
[NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable

In an open network perimeter i use dnscrypt-proxy without any problem.
With the same configuration, can't get through a proxy chain tunneling 🥲

Linux --> middle-http-proxy [1] --> main-proxy [2] --> internet

This network tunnel works perfect with OS, curl (using [1] proxy) and any other tool passing through http proxy (connect).

DEBUGGING
Since main-proxy [2] uses it's own certificates and own ca, maybe the problem is there!

dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml -show-certs

does not produces any output 🥲

From the other open network perimeter i can get,

[NOTICE] dnscrypt-proxy 2.0.45
[NOTICE] Source [public-resolvers] loaded
[NOTICE] Firefox workaround initialized
[NOTICE] Loading the set of forwarding rules from [/etc/dnscrypt-proxy/forwarding-rules.txt]
[NOTICE] Advertised cert: [CN=cloudflare.com] [bfcb9fd5cf46e27dc95f2194728fda1235c2ed5b5b58baea7c44d20c57410ecb]
[NOTICE] Advertised cert: [CN=WE1,O=Google Trust Services,C=US] [5dcef11ccfce2d2fa41c47bf2debd91cd27b9f6e5c986a5e5d8b5d009fa4b250]
[NOTICE] Advertised cert: [CN=GTS Root R4,O=Google Trust Services LLC,C=US] [6e62a0efd60a04d93f2f864b54442717a666c038c8c70546af6319e4f46a2f73]
[NOTICE] [cloudflare] OK (DoH) - rtt: 63ms
[NOTICE] Server with the lowest initial latency: cloudflare (rtt: 63ms)

Is there a workaround to get rid of the issue?

Thanks 🙏🙏🙏

[verbal666]

I saw i'm using an old version. Tomorrow i'll update building to new version 2.1.7.

Meanwhile, is there not a parameter, similar to the curl,

--doh-insecure                                Allow insecure DoH server connections
 -k, --insecure                                    Allow insecure server connections
--proxy-insecure                              Skip HTTPS proxy cert verification

to make connection also if there is not a perfect certificate resolution?

[verbal666]

Why? It would be a final option for this extreme cases. As the -k or --doh-insecure in curl.
It would not be a mandatory option, but a "final-cut" option.
It would be inexplicable then why they have widely implemented it for years in curl and curl libraries.
Default, obviuosly, should be off!!!

Anyway tomorrow i'll update to 2.1.7 and try to install in the os the root ca certificate from proxy.

[lifenjoiner]

It seems you don't realize the magnitude of the problem you've created by doing this:
You'll open the door for MITM attack, not just for your MITM proxy.

curl is usually a one-time command. But here, it's a server that's going to be running all the time.

[verbal666]

Nope! I think you do not realize

1. dns daemon will run only for certain purposes (DevOPS), for few minutes, not h24!
2. it's not public, it's private, it only binds to 127.0.0.1 only for my single host
3. in my lan there are many firewalls and only admins can "sniff" the packets, external packets can only say "this isp is quering for a *.google.com dns call...so?
4. old natural dns proto was an udp not crypted method, so what's the difference if i use an insecure "1...2...3 shots" queries?
5. i know dnscrypt/dot/doh were just invented to eliminate the point 4 "issues" !!!

Anyway, i'll first try to chain the right certificates to make dnscrypt-proxy works as it should work 👍

[verbal666]

Made dnscrypt-proxy running on middle-http-proxy [1] where there are all root ca certificates installed and configured,

Linux --> middle-http-proxy [1] --> main-proxy [2] --> internet

And works fine 👍

+++

Also installed the root ca certificate in Linux host, and now tls works fine 👍

Linux --> middle-http-proxy [1] --> main-proxy [2] --> internet

+++

So, now, i have
1 or the local private dns proxy on local Linux host
2 or the public dns proxy inside middle-http-proxy [1]

👍👍👍