Certificate and private key are always considered invalid.

D43m0n commented 3 years ago

Version of AdGuard Home server:
- v0.107.0-b.14
How did you install AdGuard Home:
- downloaded from GitHub, unpacked tar.gz file, installed service (AdGuardHome -s install), started the service and configured it first via the webinterface on port 3000.
How did you setup DNS configuration:
- Set up on OpenWRT 21.02.1 router
If it's a router or IoT, please write device model:
- Netgear R7800
CPU architecture:
- ARMv7 Processor rev 0 (v7l)
Operating system and version:
- openwrt-21.02 branch git-21.301.66596-f28aaa3, it's a build based on the 21.02.1 service release

Expected Behavior

I'm following the guide for encryption to set that up on AdGuardHome. I've used lego for that and have obtained a certificate, full chain and private key. I want to enter that in the AdGuardHome settings at the bottom and expect the full path, or either the pasted contents to be accepted by the web interface of AdGuardHome.

Actual Behavior

No matter what I enter, either the full path of the complete certificate chain and the private key, or whether I paste it's contents, both private key and certificate chain are always considered "invalid".

Screenshots

Screenshot:

Whether I enter the full certificate chain and private key separately, or combined in a pem file (private key and full chain together in this one file), it's always considered invalid... I've checked all the certificates in the chain with `openssl x509` to verify the subject, subject alternative and issuer names add up and they do. ![Schermafbeelding 2021-11-10 om 21 30 10](https://user-images.githubusercontent.com/8392736/141188940-444e7dff-1aa9-4b30-9787-285b1529318b.png) ![Schermafbeelding 2021-11-10 om 21 30 40](https://user-images.githubusercontent.com/8392736/141188977-f0aff6b7-c028-49d4-a506-9d969bfbb1a5.png)

Additional Information

I'm using the exact same method (DNS challenge with my DNS hosting party) to obtain Let's Encrypt certificates on other places and these work fine. Therefore I do not doubt that there's an actual problem with the private key or the certificate (chain) but there's a bug in AdGuardHome as far as I can see...

ainar-g commented 3 years ago

Hello and apologies for the later response. Can you configure AdGuard Home to collect logs by setting verbose to true and post the errors that are shown there during the validation here? Thanks!

D43m0n commented 2 years ago

I've briefly enabled verbose logging, in a short time period I tried to replicate the issue when enabling encryption. The behavior is the same but there's a huge amount of information in the verbose logging. Do you have any pointers to look at the verbose logging that I can post here? For instance when I grep for (parts) of the filename of the certificate or key in the logging file, I get zero results.

A grep -I error logging.txt only provides lines like these:

2021/11/17 12:44:58.618608 16553#454 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 44189
2021/11/17 12:44:58.617259 16553#455 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 32815
2021/11/17 12:44:58.623844 16553#455 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NOERROR, id: 32815
2021/11/17 12:44:58.626675 16553#456 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NOERROR, id: 45437
2021/11/17 12:44:59.384166 16553#459 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 22611
2021/11/17 12:44:59.385413 16553#458 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 55789
2021/11/17 12:44:59.392221 16553#461 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 53658
2021/11/17 12:44:59.389620 16553#457 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 468
2021/11/17 12:44:59.397197 16553#462 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 20616
2021/11/17 12:44:59.391388 16553#463 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 52037

A grep -i invalid logging.txt provides zero results.

In other words; what is it that I should be looking at to post here?

ainar-g commented 2 years ago

I've rechecked, and apparently there isn't anything that is written to the logs in these cases, apologies.

Could you please provide the exact commands you've used to get these certs? Anonymised, of course. Thanks.

fjbravo commented 2 years ago

I'm encountering a similar issue. When I specify the path to the .pem file for the certificate and private key, they both are shown as invalid. But when I copy paste the content of the file into their respective field in the browser it works. Version: v0.106.3 AdGuard Home Docker install

D43m0n commented 2 years ago

I've rechecked, and apparently there isn't anything that is written to the logs in these cases, apologies.

Could you please provide the exact commands you've used to get these certs? Anonymised, of course. Thanks.

Sure, here's the relevant shell history:

172 cd /mnt/sda1
 173 ls
 174 mkdir lego
 175 mv lego_v4.5.3_linux_armv7.tar lego
 176 cd lego
 177 tar xvf lego_v4.5.3_linux_armv7.tar 
 178 ls -l
 179 ./lego -h
 180 ./lego list
 ...
 190 TRANSIP_ACCOUNT_NAME=ANONYMISED \
 191 TRANSIP_PRIVATE_KEY_PATH=./PRIVATE.key \
 192 ./lego --email ANONYMISED@example.org --dns transip --domains router.example.org run

ghost commented 2 years ago

Hello,

I also have a problem with my SSL certificate: "Your certificate does not verify: x509: certificate signed by unknown authority"

Could I have an explanation ?

ainar-g commented 2 years ago

@EugeneOne1, please try to reproduce the issue.

D43m0n commented 2 years ago

I was wondering if there's an update on the issue?

Birbber commented 2 years ago

@D43m0n Hi. Sorry for the long silence! Is this issue still relevant?

pavkamlc commented 1 year ago

Hi, I've the same issue. My installation is as package on clean openwrt. On openwrt i generate CRS by

openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr

on my CA generate cert and upload to openwrt and on configuration result is the same like above

overwatch3560 commented 7 months ago

Is this still an issue?

D43m0n commented 7 months ago

Don't know, it's been a while since I tried. I'll verify somewhere this or next week if this is still an issue. Poke me if I don't respond by the end of next week.

overwatch3560 commented 7 months ago

@D43m0n have you been able to test it ?

D43m0n commented 7 months ago

@overwatch3560 thanks for poking me. I've just tested it. This is no longer an issue. I now get green text indicating the certificate chain is valid, the private key also. Remember that the Server name in the Encryption settings needs to match the subject in the certificate, otherwise AdGuard will tell you with a red text the certificate is invalid.

overwatch3560 commented 7 months ago

@D43m0n im glad your issue has been resolved if any issues come up you know where to find us!

AdguardTeam / AdGuardHome