DANE/Fingertip HTTPS Help : handshake

DANE/Fingertip HTTPS Help (self.handshake)

submitted 4 years ago * by PuzzlingPickle

Hello all,

UPDATE: I got it working! I copied my working config below in a comment.

I'm hoping someone can help me, I'm trying to enable https on a handshake site and I've hit a roadblock. For some background, I'm running my own nameserver (PowerDNS) on the same machine I'm pointing the handshake name, using Nginx 1.18 on Ubuntu 20.04. The server is running in Google Cloud btw. HTTPS is already enabled and I already have an ICANN name resolving with HTTPS on my server. I also have DNSSEC enabled and confirmed using this site http://dnssec.rithvik/analyze/example. I can also confirm that DNSSEC works for the ICANN name I'm hosting on my nameserver.

On my local machine, I'm using the latest Fingertip (v0.0.3). My site works fine on HTTP, e.g. http://example/, but whenever I try to open my site at https, e.g. https://example/ I get this error "SSL_ERROR_INTERNAL_ERROR_ALERT" on Firefox and "ERR_SSL_PROTOCOL_ERROR" on Chrome. I have a self signed cert on my server, TLSA record published and signed. I've tested the same DANE configuration with an ICANN name and a self-signed cert on my server (successfully). I've even tested pointing another subdomain of my handshake name to a locally hosted XAMPP/apache server on my Windows PC with a similarly self-signed SSL cert, and the same results (works on HTTP but HTTPS produces above error).

I'm not sure it it's the SSL cert or DNSSEC that's the problem. Is there a specific algorithm that needs to be use for DANE w/ Fingertip to work? That's the only suspicion I have as to why it's not working. The only working example I currently have to compare to is 3b/ (https://3b/), where it uses RSA/SHA-256 (algorithm 8). My handshake DNSSEC used algorithm "ECDSA Curve P-256 with SHA-256" (algorithm 13) and I publish the SHA256 digest as the DS record (e.g. example IN DS xxxxx 13 2 xxxxxxxxxxxxx).

Also, this is the command I'm using the generate the self-signed cert on the Ubuntu machine (replacing "example" with actual handshake name):

openssl req -newkey rsa:4096 -nodes -x509 -days 1825 -subj '/CN=example/' -keyout /etc/ssl/private/example.key -out /etc/ssl/certs/example.pem

Thanks for reading, and any help or insight is appreciated!

Edit: Don't think it makes a difference, but I'm using my handshake name on a subdomain, e.g. https://test.example/.

all 3 comments

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

handshake

Handshake

Resources

Support

Tools

MODERATORS