Since I just deployed local_doh and ran into the exact same problem (FF Android certificate exceptions reset on every app cold-start/reboot) you need to configure dnscrypt to send the whole certificate chain including all intermediates, and root (in this order)

Good news is you don't even need Let's Encrypt and can just roll your own CA (if you don't mind installing it on your clients) so this should theoretically even work on a router running dnscrypt (like OpenWrt)

This was tested with OpenSSL v3 as we are using some “advanced” arguments (namely addext and copy_extensions) which may or may not be available in legacy (1.0) versions! If you are stuck on a legacy version, generate it somewhere else and copy the certificates and keys over.

If you use LE, you can skip step 1-4

1. Create Certificate Authority:

   openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650 -nodes

2. Create Private Key:

   openssl genpkey -algorithm RSA -out doh.key -pkeyopt rsa_keygen_bits:4096

3. Create Certificate Signing Request:

   openssl req -new -key doh.key -out doh.csr -addext "subjectAltName = DNS:server.domain.local"

   The SAN is important, otherwise FF will complain about mismatching OU (which I can only assume is a bug in current versions?!)

4. Create and sign certificate:

   openssl x509 -req -in doh.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out doh.crt -days 3650 -sha256 -copy_extensions copyall

5. Create certificate chain: cat doh.crt ca.crt > full.crt

6. Configure dnscrypt to use your full.crt as cert_file = /path/to/full.crt

7. Open FF on Android and go to the DoH endpoint e.g. https://server.domain.local:3000/dns-query which should now show an encrypted connection w/o any warnings.

   If you run LE everything should work and you are done, if not open the URL on Desktop and make sure dnscrypt is actually sending the full certificate chain including all intermidate!

8. If you did roll your own CA dnscrypt will log a unknown certificate authority denoting the client not trusting the CA used to sign the DoH certificate

9. To fix this take the ca.crt from #1, copy it to your device, and install it in the Android certificate store: Settings > Security > Install Certificate > Install CA certificate

   Which will bring up a scary screen displaying something about your data not being private yada yada and requesting biometric authentication since you are messing with the CA store.

10. Finally (re)open Firefox, go to Settings > About Firefox and tap on the logo to unlock the Secret Settings menu, go back to Secret Settings and enable Use 3rd Party CA certificates and completely (force) close FF

11. Now go back to #7, if something doesn't work reboot Android

Cheers!