Snawoot/opera-proxy

"failed to verify certificate: x509" под windows 7 при использовании кастомных bootstrap dns

Closed this issue · 13 comments

Под windows 7 при использовании кастомных bootstrap dns лезет набившая ранее под никсами оскомину ошибка сертификатов. Вот только задание переменной SSL_CERT_FILE через set SSL_CERT_FILE=xxx, где xxx путь до curl'овского pem - файла в отличии от никсов ничего не даёт (ключ -cafile с тем же pem - сертификатом не помогает, если что) :/ Как быть ?

C:\Users\Admin>opera-proxy.exe  -bind-address 127.0.0.1:11112 -country EU -bootstrap-dns "https://dns11.quad9.net/dns-query"
MAIN    : 2024/12/20 00:30:58 main.go:186: INFO     opera-proxy client version v1.6.0 is starting...
MAIN    : 2024/12/20 00:30:58 main.go:411: INFO     Attempting action "anonymous registration", attempt #1...
MAIN    : 2024/12/20 00:31:01 main.go:417: WARNING  Action "anonymous registration" failed: Post "https://api2.sec-tunnel.com/v4/register_subscriber": dial failed on address lookup: requesting https://dns11.quad9.net:443/dns-query: Get "https://dns11.quad9.net:443/dns-query?dns=AAABAAABAAAAAAAABGFwaTIKc2VjLXR1bm5lbANjb20AABwAAQ": tls: failed to verify certificate: x509: certificate signed by unknown authority
requesting https://dns11.quad9.net:443/dns-query: Get "https://dns11.quad9.net:443/dns-query?dns=AAABAAABAAAAAAAABGFwaTIKc2VjLXR1bm5lbANjb20AAAEAAQ": tls: failed to verify certificate: x509: certificate signed by unknown authority
MAIN    : 2024/12/20 00:31:01 main.go:408: WARNING  Retrying action "anonymous registration" in 5s...
MAIN    : 2024/12/20 00:31:06 main.go:411: INFO     Attempting action "anonymous registration", attempt #2...
MAIN    : 2024/12/20 00:31:07 main.go:417: WARNING  Action "anonymous registration" failed: Post "https://api2.sec-tunnel.com/v4/register_subscriber": dial failed on address lookup: requesting https://dns11.quad9.net:443/dns-query: Get "https://dns11.quad9.net:443/dns-query?dns=AAABAAABAAAAAAAABGFwaTIKc2VjLXR1bm5lbANjb20AAAEAAQ": tls: failed to verify certificate: x509: certificate signed by unknown authority
requesting https://dns11.quad9.net:443/dns-query: Get "https://dns11.quad9.net:443/dns-query?dns=AAABAAABAAAAAAAABGFwaTIKc2VjLXR1bm5lbANjb20AABwAAQ": tls: failed to verify certificate: x509: certificate signed by unknown authority
MAIN    : 2024/12/20 00:31:07 main.go:408: WARNING  Retrying action "anonymous registration" in 5s...
^C
C:\Users\Admin>opera-proxy.exe  -bind-address 127.0.0.1:11112 -country EU -bootstrap-dns "tls://9.9.9.11"
MAIN    : 2024/12/20 00:31:35 main.go:186: INFO     opera-proxy client version v1.6.0 is starting...
MAIN    : 2024/12/20 00:31:35 main.go:411: INFO     Attempting action "anonymous registration", attempt #1...
MAIN    : 2024/12/20 00:31:38 main.go:417: WARNING  Action "anonymous registration" failed: Post "https://api2.sec-tunnel.com/v4/register_subscriber": dial failed on address lookup: getting conn to tls://9.9.9.11:853: connecting to 9.9.9.11: tls: failed to verify certificate: x509: certificate signed by unknown authority
getting conn to tls://9.9.9.11:853: connecting to 9.9.9.11: tls: failed to verify certificate: x509: certificate signed by unknown authority
MAIN    : 2024/12/20 00:31:38 main.go:408: WARNING  Retrying action "anonymous registration" in 5s...
^C
C:\Users\Admin>opera-proxy.exe  -bind-address 127.0.0.1:11112 -country EU -bootstrap-dns "tls://9.9.9.9"
MAIN    : 2024/12/20 00:32:17 main.go:186: INFO     opera-proxy client version v1.6.0 is starting...
MAIN    : 2024/12/20 00:32:17 main.go:411: INFO     Attempting action "anonymous registration", attempt #1...
MAIN    : 2024/12/20 00:32:20 main.go:417: WARNING  Action "anonymous registration" failed: Post "https://api2.sec-tunnel.com/v4/register_subscriber": dial failed on address lookup: getting conn to tls://9.9.9.9:853: connecting to 9.9.9.9: tls: failed to verify certificate: x509: certificate signed by unknown authority
getting conn to tls://9.9.9.9:853: connecting to 9.9.9.9: tls: failed to verify certificate: x509: certificate signed by unknown authority
MAIN    : 2024/12/20 00:32:20 main.go:408: WARNING  Retrying action "anonymous registration" in 5s...
^C

Думаю, что нужно SP1 установить https://www.microsoft.com/en-us/download/details.aspx?id=45633

@Snawoot, дело обстоит именно на win 7 x64 SP1. LetsEncrypt сертефикаты тоже обновлены, если что.

Под windows переменная SSL_CERT_FILE работоспособна ?

Под windows переменная SSL_CERT_FILE работоспособна ?

Не-а, но можно импортировать серты в системное хранилище.

Если вообще дело именно в них, может и цензор митм-ить, чтобы показать заглушку.

Кстати, там ИП-адрес этого домена API довольно редко меняется, поэтому можно просто пропустить шаг резолвинга и задать вручную -api-address 77.111.247.17 или -api-address 77.111.247.15

Не-а, но можно импортировать серты в системное хранилище.

Это curl'овский pem-файл ? ОК, попробую

Если вообще дело именно в них, может и цензор митм-ить, чтобы показать заглушку.

А пару более специфичных dns'ов вместо quad'a для теста можете предоставить ? Чтобы понять, в этом ли дело

Кстати, там ИП-адрес этого домена API довольно редко меняется, поэтому можно просто пропустить шаг резолвинга и задать вручную -api-address 77.111.247.17 или -api-address 77.111.247.15

Хороший твик. opera-proxy куда резвее стартует. Спасибо. А есть подобный твик для hola-proxy ?

А пару более специфичных dns'ов вместо quad'a для теста можете предоставить ? Чтобы понять, в этом ли дело

У меня нету, можете самостоятельно knot-resolver где-то запустить.

Хороший твик. opera-proxy куда резвее стартует. Спасибо. А есть подобный твик для hola-proxy ?

Нет, там одним фиксированным адресом не обойтись.

У меня нету, можете самостоятельно knot-resolver где-то запустить.

Имелось ввиду не ваш, а список публичных резолверов для теста

Через tls глухо


C:\Users\Admin>opera-proxy.exe  -bind-address 127.0.0.1:11223 -country EU -bootstrap-dns "tls://8.8.8.8"
MAIN    : 2024/12/30 17:08:43 main.go:188: INFO     opera-proxy client version v1.7.0-1-g7df99c4 is starting...
MAIN    : 2024/12/30 17:08:43 main.go:414: INFO     Attempting action "anonymous registration", attempt #1...
MAIN    : 2024/12/30 17:08:44 main.go:420: WARNING  Action "anonymous registration" failed: Post "https://api2.sec-tunnel.com/v4/register_subscriber": dial failed on address lookup: getting conn to tls://8.8.8.8:853: connecting to 8.8.8.8: tls: failed to verify certificate: x509: certificate is valid for 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888, 2001:4860:4860::8844, 2001:4860:4860::6464, 2001:4860:4860::64, not 8.8.8.8
getting conn to tls://8.8.8.8:853: connecting to 8.8.8.8: tls: failed to verify certificate: x509: certificate is valid for 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888, 2001:4860:4860::8844, 2001:4860:4860::6464, 2001:4860:4860::64, not 8.8.8.8
MAIN    : 2024/12/30 17:08:44 main.go:411: WARNING  Retrying action "anonymous registration" in 5s...
MAIN    : 2024/12/30 17:08:49 main.go:414: INFO     Attempting action "anonymous registration", attempt #2...
MAIN    : 2024/12/30 17:08:49 main.go:420: WARNING  Action "anonymous registration" failed: Post "https://api2.sec-tunnel.com/v4/register_subscriber": dial failed on address lookup: getting conn to tls://8.8.8.8:853: connecting to 8.8.8.8: tls: failed to verify certificate: x509: certificate is valid for 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888, 2001:4860:4860::8844, 2001:4860:4860::6464, 2001:4860:4860::64, not 8.8.8.8
getting conn to tls://8.8.8.8:853: connecting to 8.8.8.8: tls: failed to verify certificate: x509: certificate is valid for 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888, 2001:4860:4860::8844, 2001:4860:4860::6464, 2001:4860:4860::64, not 8.8.8.8
MAIN    : 2024/12/30 17:08:49 main.go:411: WARNING  Retrying action "anonymous registration" in 5s...
^C
C:\Users\Admin>opera-proxy.exe  -bind-address 127.0.0.1:11223 -country EU -bootstrap-dns "tls://185.228.168.9"
MAIN    : 2024/12/30 17:09:11 main.go:188: INFO     opera-proxy client version v1.7.0-1-g7df99c4 is starting...
MAIN    : 2024/12/30 17:09:12 main.go:414: INFO     Attempting action "anonymous registration", attempt #1...
MAIN    : 2024/12/30 17:09:12 main.go:420: WARNING  Action "anonymous registration" failed: Post "https://api2.sec-tunnel.com/v4/register_subscriber": dial failed on address lookup: getting conn to tls://185.228.168.9:853: connecting to 185.228.168.9: tls: failed to verify certificate: x509: cannot validate certificate for 185.228.168.9 because it doesn't contain any IP SANs
getting conn to tls://185.228.168.9:853: connecting to 185.228.168.9: tls: failed to verify certificate: x509: cannot validate certificate for 185.228.168.9 because it doesn't contain any IP SANs
MAIN    : 2024/12/30 17:09:12 main.go:411: WARNING  Retrying action "anonymous registration" in 5s...
MAIN    : 2024/12/30 17:09:17 main.go:414: INFO     Attempting action "anonymous registration", attempt #2...
MAIN    : 2024/12/30 17:09:17 main.go:420: WARNING  Action "anonymous registration" failed: Post "https://api2.sec-tunnel.com/v4/register_subscriber": dial failed on address lookup: getting conn to tls://185.228.168.9:853: connecting to 185.228.168.9: tls: failed to verify certificate: x509: cannot validate certificate for 185.228.168.9 because it doesn't contain any IP SANs
getting conn to tls://185.228.168.9:853: connecting to 185.228.168.9: tls: failed to verify certificate: x509: cannot validate certificate for 185.228.168.9 because it doesn't contain any IP SANs
MAIN    : 2024/12/30 17:09:17 main.go:411: WARNING  Retrying action "anonymous registration" in 5s...
^C
C:\Users\Admin>opera-proxy.exe  -bind-address 127.0.0.1:11223 -country EU -bootstrap-dns "tls://77.88.8.1"
MAIN    : 2024/12/30 17:09:52 main.go:188: INFO     opera-proxy client version v1.7.0-1-g7df99c4 is starting...
MAIN    : 2024/12/30 17:09:53 main.go:414: INFO     Attempting action "anonymous registration", attempt #1...
MAIN    : 2024/12/30 17:09:53 main.go:420: WARNING  Action "anonymous registration" failed: Post "https://api2.sec-tunnel.com/v4/register_subscriber": dial failed on address lookup: getting conn to tls://77.88.8.1:853: connecting to 77.88.8.1: tls: failed to verify certificate: x509: certificate is valid for 77.88.8.1, 77.88.8.2, 77.88.8.3, 77.88.8.7, 77.88.8.8, 77.88.8.88, not 77.88.8.1
getting conn to tls://77.88.8.1:853: connecting to 77.88.8.1: tls: failed to verify certificate: x509: certificate is valid for 77.88.8.1, 77.88.8.2, 77.88.8.3, 77.88.8.7, 77.88.8.8, 77.88.8.88, not 77.88.8.1
MAIN    : 2024/12/30 17:09:53 main.go:411: WARNING  Retrying action "anonymous registration" in 5s...
MAIN    : 2024/12/30 17:09:58 main.go:414: INFO     Attempting action "anonymous registration", attempt #2...
MAIN    : 2024/12/30 17:09:59 main.go:420: WARNING  Action "anonymous registration" failed: Post "https://api2.sec-tunnel.com/v4/register_subscriber": dial failed on address lookup: getting conn to tls://77.88.8.1:853: connecting to 77.88.8.1: tls: failed to verify certificate: x509: certificate is valid for 77.88.8.1, 77.88.8.2, 77.88.8.3, 77.88.8.7, 77.88.8.8, 77.88.8.88, not 77.88.8.1
getting conn to tls://77.88.8.1:853: connecting to 77.88.8.1: tls: failed to verify certificate: x509: certificate is valid for 77.88.8.1, 77.88.8.2, 77.88.8.3, 77.88.8.7, 77.88.8.8, 77.88.8.88, not 77.88.8.1
MAIN    : 2024/12/30 17:09:59 main.go:411: WARNING  Retrying action "anonymous registration" in 5s...
MAIN    : 2024/12/30 17:10:04 main.go:414: INFO     Attempting action "anonymous registration", attempt #3...
MAIN    : 2024/12/30 17:10:04 main.go:420: WARNING  Action "anonymous registration" failed: Post "https://api2.sec-tunnel.com/v4/register_subscriber": dial failed on address lookup: getting conn to tls://77.88.8.1:853: connecting to 77.88.8.1: tls: failed to verify certificate: x509: certificate is valid for 77.88.8.1, 77.88.8.2, 77.88.8.3, 77.88.8.7, 77.88.8.8, 77.88.8.88, not 77.88.8.1
getting conn to tls://77.88.8.1:853: connecting to 77.88.8.1: tls: failed to verify certificate: x509: certificate is valid for 77.88.8.1, 77.88.8.2, 77.88.8.3, 77.88.8.7, 77.88.8.8, 77.88.8.88, not 77.88.8.1
MAIN    : 2024/12/30 17:10:04 main.go:411: WARNING  Retrying action "anonymous registration" in 5s...
^C

а вот через https прошло


C:\Users\Admin>opera-proxy.exe  -bind-address 127.0.0.1:11223 -country EU -bootstrap-dns "https://dns.google/dns-query"
MAIN    : 2024/12/30 17:08:33 main.go:188: INFO     opera-proxy client version v1.7.0-1-g7df99c4 is starting...
MAIN    : 2024/12/30 17:08:33 main.go:414: INFO     Attempting action "anonymous registration", attempt #1...
MAIN    : 2024/12/30 17:08:35 main.go:417: INFO     Action "anonymous registration" succeeded on attempt #1
MAIN    : 2024/12/30 17:08:35 main.go:414: INFO     Attempting action "device registration", attempt #1...
MAIN    : 2024/12/30 17:08:35 main.go:417: INFO     Action "device registration" succeeded on attempt #1
MAIN    : 2024/12/30 17:08:35 main.go:414: INFO     Attempting action "discover", attempt #1...
MAIN    : 2024/12/30 17:08:36 main.go:417: INFO     Action "discover" succeeded on attempt #1
MAIN    : 2024/12/30 17:08:36 main.go:349: INFO     Endpoint: 77.111.247.77:443
MAIN    : 2024/12/30 17:08:36 main.go:350: INFO     Starting proxy server...
MAIN    : 2024/12/30 17:08:36 main.go:352: INFO     Init complete.

Попробовал импортировать curl'овский cacert.pem (заренеймив в cacert.crt), но импортировался лишь первый сертификат из всего набора. Как остальные импортировать пакетно, а не поштучно - я хз :(

В первом случае:

user@ws:~> openssl s_client -connect 8.8.8.8:853
Connecting to 8.8.8.8
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify return:1
depth=1 C=US, O=Google Trust Services, CN=WR2
verify return:1
depth=0 CN=dns.google
verify return:1
---
Certificate chain
 0 s:CN=dns.google
   i:C=US, O=Google Trust Services, CN=WR2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec  2 08:37:48 2024 GMT; NotAfter: Feb 24 08:37:47 2025 GMT
 1 s:C=US, O=Google Trust Services, CN=WR2
   i:C=US, O=Google Trust Services LLC, CN=GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
 2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R1
   i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---

Во втором:

user@ws:~> openssl s_client -connect dns.google:443
Connecting to 8.8.8.8
CONNECTED(00000003)
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify return:1
depth=1 C=US, O=Google Trust Services, CN=WR2
verify return:1
depth=0 CN=dns.google
verify return:1
---
Certificate chain
 0 s:CN=dns.google
   i:C=US, O=Google Trust Services, CN=WR2
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec  2 08:37:48 2024 GMT; NotAfter: Feb 24 08:37:47 2025 GMT
 1 s:C=US, O=Google Trust Services, CN=WR2
   i:C=US, O=Google Trust Services LLC, CN=GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
 2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R1
   i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---

Конечные серты немного разные, но цепочка подписавших их одинаковая. Дело не в доверии к сертам и не в корневых сертах, установленных в системе.

Я вчера поднял свой DoH-сервер, попробуйте https://fidelity.vm-0.com/q

Я вчера поднял свой DoH-сервер, попробуйте https://fidelity.vm-0.com/q

Проверил. Работает :)

C:\Users\Admin>opera-proxy.exe  -bind-address 127.0.0.1:55229 -country EU -bootstrap-dns "https://fidelity.vm-0.com/q"
MAIN    : 2025/01/05 02:17:59 main.go:188: INFO     opera-proxy client version v1.7.0-1-g7df99c4 is starting...
MAIN    : 2025/01/05 02:17:59 main.go:414: INFO     Attempting action "anonymous registration", attempt #1...
MAIN    : 2025/01/05 02:18:01 main.go:417: INFO     Action "anonymous registration" succeeded on attempt #1
MAIN    : 2025/01/05 02:18:01 main.go:414: INFO     Attempting action "device registration", attempt #1...
MAIN    : 2025/01/05 02:18:02 main.go:417: INFO     Action "device registration" succeeded on attempt #1
MAIN    : 2025/01/05 02:18:02 main.go:414: INFO     Attempting action "discover", attempt #1...
MAIN    : 2025/01/05 02:18:02 main.go:417: INFO     Action "discover" succeeded on attempt #1
MAIN    : 2025/01/05 02:18:02 main.go:349: INFO     Endpoint: 77.111.247.75:443
MAIN    : 2025/01/05 02:18:02 main.go:350: INFO     Starting proxy server...
MAIN    : 2025/01/05 02:18:02 main.go:352: INFO     Init complete.

Значит выходит дело в блокировках/фильтрации ?

Получается, что так. Я добавил его в список используемых по умолчанию - сегодняшняя версия 1.7.1 будет использовать его среди прочих.