AdGuard Home Wildcard aliases
-
@lukas The first few lines should give us the issuer and expiry like this:
Certificate: Data: Version: 3 (0x2) Serial Number: 04:1d:71:e7:48:c7:d3:80:02:ac:c1:ac:5b:79:e5:3f:3e:4e Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = R3 Validity Not Before: Apr 15 02:11:00 2023 GMT Not After : Jul 14 02:10:59 2023 GMTThen later down, you should also see the SAN section:
X509v3 Subject Alternative Name: DNS:*.girish.inIdeally, there should the wildcard and non-wildcard DNS listed above in your case.
Certificate: Data: Version: 3 (0x2) Serial Number: 36:5d:97:51:3d:9f:45:89:58:45:67:c2:82:a6:83:3f:6d:50:69:0b Signature Algorithm: sha256WithRSAEncryption Issuer: CN = *.mydomain.cloud Validity Not Before: Apr 2 14:06:15 2023 GMT Not After : Jun 10 14:06:15 2025 GMTand
X509v3 extensions: X509v3 Subject Alternative Name: DNS:mydomain.cloud, DNS:*.mydomain.cloud -
Certificate: Data: Version: 3 (0x2) Serial Number: 36:5d:97:51:3d:9f:45:89:58:45:67:c2:82:a6:83:3f:6d:50:69:0b Signature Algorithm: sha256WithRSAEncryption Issuer: CN = *.mydomain.cloud Validity Not Before: Apr 2 14:06:15 2023 GMT Not After : Jun 10 14:06:15 2025 GMTand
X509v3 extensions: X509v3 Subject Alternative Name: DNS:mydomain.cloud, DNS:*.mydomain.cloud -
@lukas It's not getting the new certs for some reason - it's using the self-signed cert. If you go to Domains -> Renew all certs. Can you check the logs when it's renewing? Do you see any errors?
-
@lukas From the logs, it seems the domain is not using Wildcard certs at all. If you go to Domains -> Edit -> Advanced. What is the certificate provider ? I suspect it's not wildcard . Can you change it and try to renew certs again?
I guess the reason is because you went from maybe Wildcard DNS to Programmatic DNS. In wildcard DNS, wildcard cert is not possible. But this is indeed a workflow/ui thing, that we have to consider in the future.
-
@lukas From the logs, it seems the domain is not using Wildcard certs at all. If you go to Domains -> Edit -> Advanced. What is the certificate provider ? I suspect it's not wildcard . Can you change it and try to renew certs again?
I guess the reason is because you went from maybe Wildcard DNS to Programmatic DNS. In wildcard DNS, wildcard cert is not possible. But this is indeed a workflow/ui thing, that we have to consider in the future.
-
@girish so which steps do I need to go, to get this resolved?
Btw. I see there some "non-used" SSL certificates, is there any kind of "housekeeping" ?
-
@lukas I am a bit lost at this point. Are you able contact me at support@cloudron.io , so I can debug your instance?
-
@girish said in AdGuard Home Wildcard aliases:
@lukas thanks! As a heads up, I will only be able to debug a bit later today.
all right, thank you very much for your amazing support!
@lukas Thanks for the access. I found the root cause. I (re)learnt about Let's Encrypts validation cache.
<tech stuff>
It's a very corner case but, unfortunately, it's hit in your situation.
- You used to have wildcard DNS before. This results in Let's Encrypt HTTP validation (http-01)
- You switched to Bunny DNS. The code now expects to do Let's Encrypt DNS validation (dns-01)
- Turns out , Let's Encrypt will "remember" authorization for 60 days (in some places, it says 30 days). So, it will continue to ask for HTTP validation . The code gets confused because is really wants DNS validation.
If you want to read more:
- https://community.letsencrypt.org/t/flush-of-authorization-cache/188043
- https://community.letsencrypt.org/t/let-s-encrypt-s-vulnerability-as-a-feature-authz-reuse-and-eternal-account-key/21687
- https://community.letsencrypt.org/t/http-01-validation-cache/22529
</tech stuff>
I fixed our code to handle this - https://git.cloudron.io/cloudron/box/-/commit/15e0f11bb9815f5e4e7637cf29cf4fd17ccd2da2 . I applied the fix on your server and it seems to work. Atleast, the certs are correct now and we can now go back to checking if AdGuard is working for you. Can you check?
-
@lukas Thanks for the access. I found the root cause. I (re)learnt about Let's Encrypts validation cache.
<tech stuff>
It's a very corner case but, unfortunately, it's hit in your situation.
- You used to have wildcard DNS before. This results in Let's Encrypt HTTP validation (http-01)
- You switched to Bunny DNS. The code now expects to do Let's Encrypt DNS validation (dns-01)
- Turns out , Let's Encrypt will "remember" authorization for 60 days (in some places, it says 30 days). So, it will continue to ask for HTTP validation . The code gets confused because is really wants DNS validation.
If you want to read more:
- https://community.letsencrypt.org/t/flush-of-authorization-cache/188043
- https://community.letsencrypt.org/t/let-s-encrypt-s-vulnerability-as-a-feature-authz-reuse-and-eternal-account-key/21687
- https://community.letsencrypt.org/t/http-01-validation-cache/22529
</tech stuff>
I fixed our code to handle this - https://git.cloudron.io/cloudron/box/-/commit/15e0f11bb9815f5e4e7637cf29cf4fd17ccd2da2 . I applied the fix on your server and it seems to work. Atleast, the certs are correct now and we can now go back to checking if AdGuard is working for you. Can you check?
-
G girish has marked this topic as solved on
-
@lukas yeah, there is a bug in their API or I don't know how to access wildcard dns entries via their API. I have sent them an email.
I have an A record at adguard.cloudron.click. This works: $ curl -H "Content-Type: application/json" -X POST -d '{ "apikey" : "pk1_6e058c5e56b050d8052ee869dbd137857386dcfd403698b46e6d0e7694acf241", "secretapikey" : "sk1_xx" }' https://porkbun.com/api/json/v3/dns/retrieveByNameType/cloudron.click/A/adguard {"status":"SUCCESS","cloudflare":"enabled","records":[{"id":"313173661","name":"adguard.cloudron.click","type":"A","content":"89.58.59.112","ttl":"600","prio":"0","notes":null}]} I have an A record at *.test.cloudron.click . This does not work: $ curl -w '%{response_code}' -H "Content-Type: application/json" -X POST -d '{ "apikey" : "pk1_6e058c5e56b050d8052ee869dbd137857386dcfd403698b46e6d0e7694acf241", "secretapikey" : "sk1_xx" }' https://porkbun.com/api/json/v3/dns/retrieveByNameType/cloudron.click/A/*.test <div id="container"> <h1>An Error Was Encountered</h1> <p>The URI you submitted has disallowed characters.</p> <p>You can probably find what you're looking for on our <a href="/">homepage</a>.</p> </div> 400 I tried with percent encoding but that does not work either: $ curl -w '%{response_code}' -H "Content-Type: application/json" -X POST -d '{ "apikey" : "pk1_6e058c5e56b050d8052ee869dbd137857386dcfd403698b46e6d0e7694acf241", "secretapikey" : "sk1_xx" }' https://porkbun.com/api/json/v3/dns/retrieveByNameType/cloudron.click/A/%2A.test {"status":"SUCCESS","cloudflare":"enabled","records":[]}200Hey @girish,
I have the same problem now. I was a bit too stupid and first created a manual record in Porkbun which is logically not necessary and does not work. I have subsequently deleted this entry again. I tried via Cloudron (with Lets Encrypt Prod/ Wildcard and Porkbun DNS) to set an alias entry for AdGuard (*.adguard.mydomain.com). However, I get this error message:
GET /api/v1/domains/my.domain/dns_check?subdomain=*.adguard 424 Failed Dependency Porkbun DNS error 400 {} 770.306 ms - 76I ran the DNS sync function in Cloudron, as well as renewed the certificates. However, nothing has helped
-
Hey @girish,
I have the same problem now. I was a bit too stupid and first created a manual record in Porkbun which is logically not necessary and does not work. I have subsequently deleted this entry again. I tried via Cloudron (with Lets Encrypt Prod/ Wildcard and Porkbun DNS) to set an alias entry for AdGuard (*.adguard.mydomain.com). However, I get this error message:
GET /api/v1/domains/my.domain/dns_check?subdomain=*.adguard 424 Failed Dependency Porkbun DNS error 400 {} 770.306 ms - 76I ran the DNS sync function in Cloudron, as well as renewed the certificates. However, nothing has helped
-
Hey @girish,
I have the same problem now. I was a bit too stupid and first created a manual record in Porkbun which is logically not necessary and does not work. I have subsequently deleted this entry again. I tried via Cloudron (with Lets Encrypt Prod/ Wildcard and Porkbun DNS) to set an alias entry for AdGuard (*.adguard.mydomain.com). However, I get this error message:
GET /api/v1/domains/my.domain/dns_check?subdomain=*.adguard 424 Failed Dependency Porkbun DNS error 400 {} 770.306 ms - 76I ran the DNS sync function in Cloudron, as well as renewed the certificates. However, nothing has helped
@ByMynix if you want to stick with Porkbun please email them and link https://forum.cloudron.io/post/64902 as the post reproducing the issue. You can also cc support@cloudron.io and we are happy to respond.
