DoT with custom/private CA

x-pve

Deployed custom/private CA and AdguardHome (running in container on Mikrotik router). Certificate for AdguardHome issued by private CA. CA certificate installed on Pixel. and on Linux (Firefox, Ungoogled Chromium).
Pointing any of mentioned web browser (include Vanadium) to web interface of the AdguardHome works. Firefox, Ungoogled Chromium and Vanadium trust certificate issued by private CA. I can use DoT/DoH in Firefox and Ungoogled Chromium; both browser accept the Adguard's certificate.
OK, now I tried to set "Private DNS", adguard.somedomain.local on Pixel. It doesn't work. In Adguard's log is message
[error] dnsproxy: reading msg proto=tcp err="reading len: remote error: tls: unknown certificate authority"
GOS simply says "Unable to connect" (to the private DNS). Sometimes it shows notification as "Network XY has no internet access, unable to access private DNS". No internet access - it's true, but IMO it's not needed. DNS provided by network resolve adguard.somedomain.local and GOS started communication with the Adguard itself (observed by Wireshark).
In system log is this:
04-04 23:42:06.341 root 855 1896 W resolv : Validating DnsTlsServer {192.168.66.10/adguard.somedomain.local} with mark 0xf008e 04-04 23:42:06.344 root 855 1897 W resolv : Validating DnsTlsServer {192.168.66.10/adguard.somedomain.local} with mark 0xf007a 04-04 23:42:06.576 root 855 1896 W resolv : SSL_connect ssl error =1, mark 0xf008e: No such file or directory 04-04 23:42:06.577 root 855 1896 W resolv : TLS Handshake failed 04-04 23:42:06.577 root 855 1896 W resolv : query failed 04-04 23:42:06.577 root 855 1896 W resolv : validateDnsTlsServer returned 0 for {192.168.66.10/adguard.somedomain.local} 04-04 23:42:06.578 root 855 1897 W resolv : SSL_connect ssl error =1, mark 0xf007a: No such file or directory 04-04 23:42:06.578 root 855 1897 W resolv : TLS Handshake failed 04-04 23:42:06.579 root 855 1897 W resolv : query failed 04-04 23:42:06.579 root 855 1897 W resolv : validateDnsTlsServer returned 0 for {192.168.66.10/adguard.somedomain.local} 04-04 23:42:06.579 root 855 1896 W resolv : Validation failed 04-04 23:42:06.579 root 855 1897 W resolv : Validation failed
Mark, no such file or directory - it's looking for markled packet or what?
I don't have IP address in the certificate; is it required for GOS?
Should DNS over TLS work with custom CA or it works with built-in CA's only?
Thanks for any suggestion.

blushinggilda

Built a similar setup to this in the past, Android phones do not consider custom enrolled certificates for DoT. Easiest way around this limitation is probably to buy a domain and use LetsEncrypt with a TXT record to obtain a valid certificate.

x-pve

Thank you. I spent few hours learning/reading. In my case the solution is simple. I'm always on VPN and it's easy to set DNS in VPN server configuration. It's plain DNS (53/UDP). Waste time to replace certificate every month (ongoing 47 days certificate validity) or automate it, wasting time ... no.
I'm frustraded, "they" (Google, Amazon, ...) are going to lock/close devices, networks ... :-(