AdGuard Home Wildcard aliases
-
@girish update to latest Cloudron Version, bunny.net integration is working fine (thanks for this), but DoT on my Android Phone is still not working, in AdGuard Home Log I see:
May 02 10:35:57 2023/05/02 08:35:57.599729 [error] handling tcp: reading msg: reading len: remote error: tls: bad certificate May 02 10:35:57 2023/05/02 08:35:57.907614 [error] handling tcp: reading msg: reading len: remote error: tls: bad certificate May 02 10:35:57 2023/05/02 08:35:57.914408 [error] handling tcp: reading msg: reading len: remote error: tls: bad certificate
What is wrong? I use <clientname>.adguard.mydomain.TLD and I added an Alias (*.adgaurd) to AdGuard Home.
What is wrong?
Thank you and Regards,
Lukas -
@lukas The first few lines should give us the issuer and expiry like this:
Certificate: Data: Version: 3 (0x2) Serial Number: 04:1d:71:e7:48:c7:d3:80:02:ac:c1:ac:5b:79:e5:3f:3e:4e Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = R3 Validity Not Before: Apr 15 02:11:00 2023 GMT Not After : Jul 14 02:10:59 2023 GMT
Then later down, you should also see the SAN section:
X509v3 Subject Alternative Name: DNS:*.girish.in
Ideally, there should the wildcard and non-wildcard DNS listed above in your case.
-
Certificate: Data: Version: 3 (0x2) Serial Number: 36:5d:97:51:3d:9f:45:89:58:45:67:c2:82:a6:83:3f:6d:50:69:0b Signature Algorithm: sha256WithRSAEncryption Issuer: CN = *.mydomain.cloud Validity Not Before: Apr 2 14:06:15 2023 GMT Not After : Jun 10 14:06:15 2025 GMT
and
X509v3 extensions: X509v3 Subject Alternative Name: DNS:mydomain.cloud, DNS:*.mydomain.cloud
-
@lukas From the logs, it seems the domain is not using Wildcard certs at all. If you go to Domains -> Edit -> Advanced. What is the certificate provider ? I suspect it's not wildcard . Can you change it and try to renew certs again?
I guess the reason is because you went from maybe Wildcard DNS to Programmatic DNS. In wildcard DNS, wildcard cert is not possible. But this is indeed a workflow/ui thing, that we have to consider in the future.
-
@lukas Thanks for the access. I found the root cause. I (re)learnt about Let's Encrypts validation cache.
<tech stuff>
It's a very corner case but, unfortunately, it's hit in your situation.
- You used to have wildcard DNS before. This results in Let's Encrypt HTTP validation (http-01)
- You switched to Bunny DNS. The code now expects to do Let's Encrypt DNS validation (dns-01)
- Turns out , Let's Encrypt will "remember" authorization for 60 days (in some places, it says 30 days). So, it will continue to ask for HTTP validation . The code gets confused because is really wants DNS validation.
If you want to read more:
- https://community.letsencrypt.org/t/flush-of-authorization-cache/188043
- https://community.letsencrypt.org/t/let-s-encrypt-s-vulnerability-as-a-feature-authz-reuse-and-eternal-account-key/21687
- https://community.letsencrypt.org/t/http-01-validation-cache/22529
</tech stuff>
I fixed our code to handle this - https://git.cloudron.io/cloudron/box/-/commit/15e0f11bb9815f5e4e7637cf29cf4fd17ccd2da2 . I applied the fix on your server and it seems to work. Atleast, the certs are correct now and we can now go back to checking if AdGuard is working for you. Can you check?
-