[knot-resolver-users] Google Chrome not working with Knot Resolver via DoH

Hello, at AS50242 we run two recursive resolvers for our ISP customers. Both resolvers are listening for doh2 with ECDSA SSL certs from Letsencrypt. ns1r.levonet.sk ns2r.levonet.sk kdig +https is working correctly, however I'm unable to use these DoH resolvers with Google Chrome (99.0.4844.74) browser on MacOS (12.2.1). In settings I entered "https://ns2r.levonet.sk" as custom DoH resolver and I got error: Please verify that this is a valid provider or try again. I have enabled Knot debugging for doh and tls and log is flooded with messages about "incomplete, refusing". Does anybody have an idea what's wrong? Has Chrome some specific requirements for DoH servers? Thanks Blažej Mar 15 19:47:44 ns2r kresd[1317767]: [doh ] [0x215d1e0] h2 session created for 2a02:6ca3:800:0:60c4:dcd1:0000:0000#57880 Mar 15 19:47:44 ns2r kresd[1317767]: [tls ] TLS handshake with 2a02:6ca3:800:0:60c4:dcd1:0000:0000#57880 has completed Mar 15 19:47:44 ns2r kresd[1317775]: [doh ] [0x168d620] h2 session created for 2a02:6ca3:800:0:60c4:dcd1:0000:0000#57881 Mar 15 19:47:44 ns2r kresd[1317775]: [tls ] TLS handshake with 2a02:6ca3:800:0:60c4:dcd1:0000:0000#57881 has completed Mar 15 19:47:45 ns2r kresd[1317771]: [doh ] [0x1016940] h2 session created for 2a02:6ca3:800:0:60c4:dcd1:0000:0000#57882 Mar 15 19:47:45 ns2r kresd[1317771]: [tls ] TLS handshake with 2a02:6ca3:800:0:60c4:dcd1:0000:0000#57882 has completed Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (begin_headers_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (begin_headers_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:46 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 23 incomplete, refusing (begin_headers_callback)