Assistance Needed: Certificate Validation Failure in H1_DNS_AB_Normal Test (Address-Bound)

28 views
Skip to first unread message

Pranav Kulkarni

unread,
Nov 27, 2025, 3:21:55 AMNov 27
to Edge Test Tool (ETT)

Hello ETT Team,

I am currently working on the H1_DNS_AB_Normal test case for the Direct address:

in...@dev.unityhealth360.com

As shown in the attached screenshots, the DNS lookup step is passing successfully — the tool is able to discover the CERT record from my authoritative DNS server.
However, the test is failing at the “Validation of discovered certificate(s)” step.

✔ What is working

  • My authoritative DNS server (CoreDNS on AWS EC2) returns the CERT record correctly.

  • DCDT confirms successful DNS discovery:

    Success: true
    DNS lookup was successful Binding Type: ADDRESS
    Location Type: DNS
❌ What is failing

The next step fails:

Validation of discovered certificate(s):
Success: false
 Binding Type: NONE
Location Type: (blank)
Discovered Valid Certificate: None

This indicates that the certificate was found, but it did not pass the validation rules required by the Direct Project / ETT validator.

🔍 What I need guidance on

Could you please help clarify:

  1. Which certificate validation rules are failing?
    (e.g., CN mismatch, SAN format, KeyUsage, EKU (emailProtection), BasicConstraints, SKI/AKI, etc.)

  2. What exact certificate requirements must be met for the H1 DNS Address-Bound validation?

  3. How can I verify my certificate structure locally to ensure it conforms to the Direct Project certificate profile before publishing it in DNS?

I have already ensured:

  • CERT record is correctly formatted

  • CN and SAN contain the correct Direct address

  • DNS zone and delegation are functioning properly

But since the validator reports “Binding Type: NONE” and “No valid certificates discovered,” I need help understanding which specific validation rule the certificate is failing.

Any guidance or examples of a fully compliant certificate profile would be very helpful.

Thank you for your assistance.

Regards,
Pranav Kulkarni
Screenshot from 2025-11-26 12-58-10.png

Screenshot from 2025-11-26 12-57-09.png

Sai Valluripalli

unread,
Dec 5, 2025, 8:10:24 AMDec 5
to Pranav Kulkarni, Edge Test Tool (ETT)
You can try this address to see how a valid certificate looks like

--
You received this message because you are subscribed to the Google Groups "Edge Test Tool (ETT)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to edge-test-too...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/edge-test-tool/56437f9d-b39f-4e11-b704-c29abfeebc3cn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages