These are chat archives for CZ-NIC/knot-resolver

28th
Mar 2018
Daniel Aleksandersen
@da2x
Mar 28 2018 14:58
Hi. Is certificate bundles supported for the ca_file argument in TLS_FORWARD? (E.g. a single file that contains all the CAs my system trusts.)

policy.TLS_FORWARD({'9.9.9.9', hostname='dns.quad9.net.', ca_file='/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem'})

kresd: [tls_client] failed to verify peer certificate
kresd: [tls-client] gnutls_handshake failed: GNUTLS_E_CERTIFICATE_ERROR (-43)

(Also, what is the difference between tls_client and tls-client?)
Vladimír Čunát
@vcunat
Mar 28 2018 16:05
Hmm, I had tested a same-looking configuration.
- vs. _ is clearly just an unintentional difference
I can immediately only guess that it's about pem vs. crt.