AdGuard Home Wildcard aliases

Kubernetes

@lukas may you explain for what reason you want to have an Alias Domain for AdGuard, please? I think 99% of all use cases doesn't need an Alias Domain for it.

lukas

@Kubernetes I want to use DoT / DoH on my Android / iOS devices and allow only my clients to use this AdGuard Home instance. I'm doing something wrong?

Kubernetes

@lukas Okay, then you don't need an Alias in Cloudron for AdGuard. What you need to do is to configure the ClientIDs as I mentioned in your other Thread directly in the AdGuard Home Admin Interface

lukas

@Kubernetes But If I don't need an Alias for AdGaurd in Cloudron, how do I set the Client Identifier ind Adroids Private DNS and / or in AdGuard App? Sorry but it's confusing for me.

It this Guide https://docs.cloudron.io/apps/adguard-home/#security i need DoT for my Android devices, to an wildcard alias is needed to identify my Android devices

Kubernetes

@lukas You have to set the ClientID in Adguard Home Admin Interface, but not in Cloudron. Then all you need to do is to combine the URL to your Adguard Home with the ClientID you have configured already.

This should look like this:
https://adguard.yourdomain.tld/dns-query/CLIENTID

I assume that you never had a look at the Adguard Home Admin Interface, did you? There is a tab "Setup Assistant" which explains how to do it with Android, Windows, Browser, iOS, Router....

I hope that helps?

lukas

@Kubernetes said in AdGuard Home Wildcard aliases:

This should look like this:
https://adguard.yourdomain.tld/dns-query/CLIENTID

yes, but for Android I have to use DoT and not DoH ?

DoT
DNS over TLS (DoT) is supported and uses port 853 by default. DoT is required for Android's "Private DNS mode" (available since Android 9.0 Pie).

To use Client ID identifiers, you must add a wildcard subdomain alias of the form *.adguard.domain.com.

Kubernetes

@lukas Ahh, okay, I don't use DoT, so I don't know how this is setup correctly.

lukas

@Kubernetes as I understand this, for DoT I need a wildcard domain. In AdGuard Adnroid app I can use DoH with your string, this works fine.

girish

@lukas to give an update, I still haven't gotten a response from Porkbun. They were supposed to reply last monday. Sent them a reminder on Friday.

lukas

@girish I switched now from Porkbun API to Wildcard Domain. How to get it working now?

Just get this:

Apr 29 22:16:09 2023/04/29 20:16:09.334842 [error] handling tcp: reading msg: reading len: remote error: tls: unknown certificate authority
Apr 29 22:16:09 2023/04/29 20:16:09.584416 [error] handling tcp: reading msg: reading len: remote error: tls: unknown certificate authority
Apr 29 22:16:09 2023/04/29 20:16:09.602320 [error] handling tcp: reading msg: reading len: remote error: tls: unknown certificate authority

girish

@lukas Yeah, so they never got back I even sent them a reminder. Please point them to this thread (if you are a customer). I sent mails from girish@cloudron.io

Unfortunately, one cannot create a wildcard certificate from the Wildcard Domain. This is because Let's Encrypt requires you to set values in the DNS to get a wildcard cert. With a wildcard provider, Cloudron has no way to program the DNS. Only fix right now is to switch to some other programmable DNS provider. Sorry...

lukas

@girish is there any other way to do this? I switched my Nameservers to Bunny.net from this domain, so I wait to next cloudron release

girish

@lukas Yup, so in next release, it should work You have to switch to some other provider for something immediate (like today).

lukas

@girish ok, then I will wait for next release. Will it come today?

lukas

@girish said in AdGuard Home Wildcard aliases:

Yeah, so they never got back I even sent them a reminder. Please point them to this thread (if you are a customer). I sent mails from girish@cloudron.io

you got maybe any ticket number? I will contact them now

girish

@lukas they didn't give me one.

lukas

@girish update to latest Cloudron Version, bunny.net integration is working fine (thanks for this), but DoT on my Android Phone is still not working, in AdGuard Home Log I see:

May 02 10:35:57 2023/05/02 08:35:57.599729 [error] handling tcp: reading msg: reading len: remote error: tls: bad certificate
May 02 10:35:57 2023/05/02 08:35:57.907614 [error] handling tcp: reading msg: reading len: remote error: tls: bad certificate
May 02 10:35:57 2023/05/02 08:35:57.914408 [error] handling tcp: reading msg: reading len: remote error: tls: bad certificate

What is wrong? I use <clientname>.adguard.mydomain.TLD and I added an Alias (*.adgaurd) to AdGuard Home.

What is wrong?

Thank you and Regards,
Lukas

girish

@lukas If you go to Location view and click Save (without making any changes), does that help the situation ? That should maybe (re)trigger getting the cert.

lukas

@girish did not help. This looks also not fine:

Certificate chain is invalid

girish

@lukas can you check the output of openssl x509 -text -in /etc/certs/_.adguard.domain.cert in the web terminal of adguard ? Does it seem like a valid Let's Encrypt certificate?