To let dnsdist listen for DoH queries over HTTP on localhost at port 8053 add one of the following to your config::
addDOHLocal("127.0.0.1:8053")
- addDOHLocal("127.0.0.1:8053", nil, nil, "/", { reusePort=true })
\ No newline at end of file
+ addDOHLocal("127.0.0.1:8053", nil, nil, "/", { reusePort=true })
+
+A particular attention should be taken to the permissions of the certificate and key files. Many ACME clients used to get and renew certificates, like CertBot, set permissions assuming that services are started as root, which is no longer true for dnsdist as of 1.5.0. For that particular case, making a copy of the necessary files in the /etc/dnsdist directory is advised, using for example CertBot's ``--deploy-hook`` feature to copy the files with the right permissions after a renewal.
addTLSLocal('192.0.2.55', {'/etc/ssl/certs/example.com.rsa.pem', '/etc/ssl/certs/example.com.ecdsa.pem'}, {'/etc/ssl/private/example.com.rsa.key', '/etc/ssl/private/example.com.ecdsa.key'})
The certificate chain presented by the server to an incoming client will then be selected based on the algorithms this client advertised support for.
+
+A particular attention should be taken to the permissions of the certificate and key files. Many ACME clients used to get and renew certificates, like CertBot, set permissions assuming that services are started as root, which is no longer true for dnsdist as of 1.5.0. For that particular case, making a copy of the necessary files in the /etc/dnsdist directory is advised, using for example CertBot's ``--deploy-hook`` feature to copy the files with the right permissions after a renewal.