AdGuard Home Wildcard aliases

lukas

@Kubernetes as I understand this, for DoT I need a wildcard domain. In AdGuard Adnroid app I can use DoH with your string, this works fine.

girish

@lukas to give an update, I still haven't gotten a response from Porkbun. They were supposed to reply last monday. Sent them a reminder on Friday.

lukas

@girish I switched now from Porkbun API to Wildcard Domain. How to get it working now?

Just get this:

Apr 29 22:16:09 2023/04/29 20:16:09.334842 [error] handling tcp: reading msg: reading len: remote error: tls: unknown certificate authority
Apr 29 22:16:09 2023/04/29 20:16:09.584416 [error] handling tcp: reading msg: reading len: remote error: tls: unknown certificate authority
Apr 29 22:16:09 2023/04/29 20:16:09.602320 [error] handling tcp: reading msg: reading len: remote error: tls: unknown certificate authority

girish

@lukas Yeah, so they never got back I even sent them a reminder. Please point them to this thread (if you are a customer). I sent mails from girish@cloudron.io

Unfortunately, one cannot create a wildcard certificate from the Wildcard Domain. This is because Let's Encrypt requires you to set values in the DNS to get a wildcard cert. With a wildcard provider, Cloudron has no way to program the DNS. Only fix right now is to switch to some other programmable DNS provider. Sorry...

lukas

@girish is there any other way to do this? I switched my Nameservers to Bunny.net from this domain, so I wait to next cloudron release

girish

@lukas Yup, so in next release, it should work You have to switch to some other provider for something immediate (like today).

lukas

@girish ok, then I will wait for next release. Will it come today?

lukas

@girish said in AdGuard Home Wildcard aliases:

Yeah, so they never got back I even sent them a reminder. Please point them to this thread (if you are a customer). I sent mails from girish@cloudron.io

you got maybe any ticket number? I will contact them now

girish

@lukas they didn't give me one.

lukas

@girish update to latest Cloudron Version, bunny.net integration is working fine (thanks for this), but DoT on my Android Phone is still not working, in AdGuard Home Log I see:

May 02 10:35:57 2023/05/02 08:35:57.599729 [error] handling tcp: reading msg: reading len: remote error: tls: bad certificate
May 02 10:35:57 2023/05/02 08:35:57.907614 [error] handling tcp: reading msg: reading len: remote error: tls: bad certificate
May 02 10:35:57 2023/05/02 08:35:57.914408 [error] handling tcp: reading msg: reading len: remote error: tls: bad certificate

What is wrong? I use <clientname>.adguard.mydomain.TLD and I added an Alias (*.adgaurd) to AdGuard Home.

What is wrong?

Thank you and Regards,
Lukas

girish

@lukas If you go to Location view and click Save (without making any changes), does that help the situation ? That should maybe (re)trigger getting the cert.

lukas

@girish did not help. This looks also not fine:

Certificate chain is invalid

girish

@lukas can you check the output of openssl x509 -text -in /etc/certs/_.adguard.domain.cert in the web terminal of adguard ? Does it seem like a valid Let's Encrypt certificate?

lukas

@girish I see an output. Which part do you need from this ouput?

girish

@lukas The first few lines should give us the issuer and expiry like this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:1d:71:e7:48:c7:d3:80:02:ac:c1:ac:5b:79:e5:3f:3e:4e
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Apr 15 02:11:00 2023 GMT
            Not After : Jul 14 02:10:59 2023 GMT

Then later down, you should also see the SAN section:

            X509v3 Subject Alternative Name: 
                DNS:*.girish.in

Ideally, there should the wildcard and non-wildcard DNS listed above in your case.

lukas

@girish

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            36:5d:97:51:3d:9f:45:89:58:45:67:c2:82:a6:83:3f:6d:50:69:0b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = *.mydomain.cloud
        Validity
            Not Before: Apr  2 14:06:15 2023 GMT
            Not After : Jun 10 14:06:15 2025 GMT

and

			        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:mydomain.cloud, DNS:*.mydomain.cloud

girish

@lukas It's not getting the new certs for some reason - it's using the self-signed cert. If you go to Domains -> Renew all certs. Can you check the logs when it's renewing? Do you see any errors?

lukas

@girish I sent you the log-file via E-Mail

girish

@lukas From the logs, it seems the domain is not using Wildcard certs at all. If you go to Domains -> Edit -> Advanced. What is the certificate provider ? I suspect it's not wildcard . Can you change it and try to renew certs again?

I guess the reason is because you went from maybe Wildcard DNS to Programmatic DNS. In wildcard DNS, wildcard cert is not possible. But this is indeed a workflow/ui thing, that we have to consider in the future.

girish

The certificate provider should be Let's Encrypt Prod - Wildcard