Encryption settings: validating certificate pair: certificate has no IP addresses, this may cause issues with DNS-over-TLS clients

[kokesh]

Prerequisites

• [X] I have checked the Wiki and Discussions and found no answer

• [X] I have searched other issues and found no duplicates

• [X] I want to report a bug and not ask a question

Operating system type

Linux, Other (please mention the version in the description)

CPU architecture

AMD64

Installation

Snap

Setup

On one machine

AdGuard Home version

0.107.18

Description

Everything was fine until yesterday. Using AGH as a Private DNS on Android, it stopped working suddenly.

I've got the following under certificate settings:

validating certificate pair: certificate has no IP addresses, this may cause issues with DNS-over-TLS clients The certificates are fine and working LetsEncrypt. I've even renewed them to try if it helps somehow, it doesn't.

[CDzungx]

Using Edge version with DuckDNS, the same warning but everything works fine (Android 12). Let's Encrypt cert also.

[scallaway]

This is the error that I was just coming to the issues to ask about! I am seeing the same thing when trying to setup DoH and DoT.

I haven't tried the edge version, although I'm not really inclined to do so.

[CDzungx]

This is the error that I was just coming to the issues to ask about! I am seeing the same thing when trying to setup DoH and DoT.

I haven't tried the edge version, although I'm not really inclined to do so.

If your DNS work fine, just ignore that error warning.

[scallaway]

This is the error that I was just coming to the issues to ask about! I am seeing the same thing when trying to setup DoH and DoT. I haven't tried the edge version, although I'm not really inclined to do so.

If your DNS work fine, just ignore that ~error~ warning.

Yeah my DNS is working fine, although when I go to https://1.1.1.1/help I see the following;

Connected to 1.1.1.1	Yes
Using DNS over HTTPS (DoH)	Yes
Using DNS over TLS (DoT)	No
Using DNS over WARP	No

So I have a feeling that there is still something a bit wrong with the certificate, as I was really looking to get DoT enabled.

[CDzungx]

What do you mean 😂😂 What can be wrong with your Cert. I'm using my DNS and all is No (since I don't use Cloudflare DNS). I think it's about the DNS setting. You use DoH for Cloudflare in your DNS setting?

[ghost]

I use a FRITZ!Box 5530 Fiber and my DNS stopped working entirely ever since this error message has popped up.

Everything was running fine under v0.107.17 but then I upgraded to v0.107.18 and it broke. I tried the edge version, I tried going back to v0.107.17, without any form of success.

Is there any solution to this issue? I'm using Let's Encrypt certificates to secure the instance. AdGuard is running on a VPS and only allows connections from my clients.

[CDzungx]

I use a FRITZ!Box 5530 Fiber and my DNS stopped working entirely ever since this error message has popped up.

Everything was running fine under v0.107.17 but then I upgraded to v0.107.18 and it broke. I tried the edge version, I tried going back to v0.107.17, without any form of success.

Is there any solution to this issue? I'm using Let's Encrypt certificates to secure the instance. AdGuard is running on a VPS and only allows connections from my clients.

Maybe try other DDNS services like DuckDNS for now. Cuz my DuckDNS works fine.

[ghost]

Let me change my statement a bit. The DNS server is working, however DoT is causing problems. The FRITZ!Box (my router) can't seem to handle it anymore. I haven't followed the changelogs of the last releases, but something must have changed.

My iPhone and my MacBook which are set up via .mobileconfig using DoT do not have any problems. Only my router can't handle it and therefore all devices on the network.

What I did as a workaround is to remove the restriction to my clients (home network, iPhone and MacBook). So my DNS is now accessible to everyone, but at least it works via normal DNS, so no DoT at the moment.

[BobWs]

Same error notification after updating to v107.18 before this update everything was fine!

[scallaway]

@CDzungx

You use DoH for Cloudflare in your DNS setting?

I have both DoH and DoT setup in my DNS settings pointing at Cloudflare. Which is why I believe the IP address problem to be a cause of my issues as well.

[bluetoothfx]

I'm having this issue on v107.17 also.

[ghost]

I'm having this issue on v107.17 also.

Can confirm. v107.17 shows the message, v107.16 doesn't.

[kokesh]

Just to clarify what my setup is: Tiny HP thin client running Ubuntu with Homeassistant running on it, later I've added Adguard running beside HA. I've got a domain, pointed to my home public IP via Cloudflare nameservers. No proxying, or anything like that on Cloudflare side. My modem does NAT to my little Linux machine for web, Homeassistant and Adguard. All was fine until few days ago, as I wrote in this issue. I've tried now to access use Private DNS via duckdns and also no-ip. It is the same thing. So probbaly nothing being caused by some change on Cloudflare.

Except this Adguard works perfectly.

[Szene]

I have the same issue with a new docker container running version v107.18. It just doesn't let me save the certificate paths for my Let's Encrypt certificates.

I can confirm that in v107.16 image everything works fine.

[kokesh]

I've switched to v0.108.0-a.382+167b1125 (Edge) version via Snap. No change whatsoever. Everything works, except DNS-over-TLS.

[CDzungx]

It just doesn't let me save the certificate paths for my Let's Encrypt certificates

Saved normally on Edge version

Everything works, except DNS-over-TLS.

Mine DoT working fine, Edge version too.

(No problem for both wildcard cert and normal cert)

[guidocioni]

Having the same issue as well. Trying to refresh the certificates but it didn't help. I had to paste the certificate contents because otherwise also normal DNS over port 53 wasn't working.

DNS over ToH seems to work only with some devices while DNS over HTTPS does not work. Still, the certificates seem to be fine.

[manfahrer]

I have the same error

Operating system type Linux, Other (please mention the version in the description)

CPU architecture ARM - Raspery Pi 4

Installation auto install Skript

Setup On one machine

AdGuard Home version v0.107.18

[kokesh]

Current edge version v0.108.0-a.383+93882d68

Got it working by sudo certbot --force-renewal --preferred-chain="ISRG Root X1" renew

• Google apparently requires you to use X1.

[CDzungx]

• Google apparently requires you to use X1.

Isn't the default (R3) using X1? 😂 But good that it works for you. https://letsencrypt.org/certificates/

[Szene]

It's a little bit changed in v0.107.20, now the message is visually less alarming.

[Birbber]

Closing this issue as completed. Please re-open if needed.

[filisdiez]

I confirm that the same error is present! If you use a certificate for an ip address, then the error disappears, but for some reason it does not work with a domain certificate. I use Adguard Home on an asus router with merlin firmware.

[PVasileff]

Same here. Installed Adguard Home on VM with Debian 11, on my Proxmox. Configured static dhcp ip for ADH on my MikroTik RB4011

[ghost]

Hi there

My adguard home on synology nas claim same issue :

Attention: validating certificate pair: certificates has no IP addresses; DNS-over-TLS won't be advertised via DDR

I'm using DNS-over-HTTPS as upstream, so i think i don't need to take care about this half warning message.

What do you think about that ? Thanks

[xkpx64]

Months later still same issue: Using Lets Encrypt (Elliptic Curve e384) OCSP - as wildcard cert Warning: validating certificate pair: certificates has no IP addresses; DNS-over-TLS won't be advertised via DDR

[ericafterdark]

Same issue. AdGuard Home on a VPS with a domain.

[stylemessiah]

Same error on Windows version. nothing wrong with certifcates....

[Issam2204]

Same issue over here.

[breathless19]

Same here as well.

They could easily avoid this (assuming that the issue here is simply that Let's Encrypt certificates don't include I.P. addresses) by removing the disturbing verbiage and instead making a little checkbox underneath that says "advertise TLS via DDR" that is uncheckable if your certificate is from Let's Encrypt or any other service that doesn't include IP addresses, and give a little explanation next to the checkbox stating as such (IE: "TLS cannot advertise via DDR when certificates do not contain IP addresses"). Then people will at least understand that the "issue" is because of the cert that they chose and will thereby not be pissed off by scary words and flocking to the forum.

[AmIBeingObtuse]

Did anyone manage to resolve this? Or have a suggested course of action. I'm trying to get adguard home encryption setup on the encryption page. I already use DOH for upstream servers but wanted to try using DOH from device to adguard also. Also does anyone know any good guides for this. I can't seem to find one. Thanks.

[like33]

This problem makes my tls unusable.

[like33]

Is there any way to fix TLS that cannot be used?

[breathless19]

You need to get a certificate from a provider that uses an I.P. address. Lets Encrypt is not the one.

[jcleng]

same +1 , than how to open and use DoT, on android phone must a domain not ip. no solution?

[yaneony]

still not working here... DoT is unusable. Please /reopen

[benkap]

same here... DoT is not working. should be reopened

[securitasis]

I'm experiencing the same exact issue. I've confirmed it is not working because if I uncheck "Enable plain DNS" under Encryption settings, all DNS traffic stops under the DNS Queries - Log.

Also, every log entry shows types "A, Plain DNS" or "HTTPS, Plain DNS" Has anyone tried another Certificate Authority that allows an IP address or IP alias?

[RosensRauk]

This is weird!

When plain DNS is on; Type: https DNS-server: Name.cloudflare-gateway.com:53 Time: 54 ms Answer: A: 188.114.97.1 (ttl=2400) A: 188.114.96.1 (ttl=2400) NOERROR

Everything works and if i check security in my browser it says it is safe.

When plain DNS is off, only encrypted: Nothing. I can't even get online! And nothing shows in the Adguard home logg.

[jaybauson]

This is weird!

When plain DNS is on; Type: https DNS-server: Name.cloudflare-gateway.com:53 Time: 54 ms Answer: A: 188.114.97.1 (ttl=2400) A: 188.114.96.1 (ttl=2400) NOERROR

Everything works and if i check security in my browser it says it is safe.

When plain DNS is off, only encrypted: Nothing. I can't even get online! And nothing shows in the Adguard home logg.

I was a Pi-Hole user until yesterday, and I have the same exact error. Now I am stuck, I will probably wait for an update so I can turn the encryption on.

[Honglan233]

This is weird!

When plain DNS is on; Type: https DNS-server: Name.cloudflare-gateway.com:53 Time: 54 ms Answer: A: 188.114.97.1 (ttl=2400) A: 188.114.96.1 (ttl=2400) NOERROR

Everything works and if i check security in my browser it says it is safe.

When plain DNS is off, only encrypted: Nothing. I can't even get online! And nothing shows in the Adguard home logg.

I have the same problem today, which is strange

[cx48]

This is weird! When plain DNS is on; Type: https DNS-server: Name.cloudflare-gateway.com:53 Time: 54 ms Answer: A: 188.114.97.1 (ttl=2400) A: 188.114.96.1 (ttl=2400) NOERROR Everything works and if i check security in my browser it says it is safe. When plain DNS is off, only encrypted: Nothing. I can't even get online! And nothing shows in the Adguard home logg.

I have the same problem today, which is strange

Same here. Did you find any solution? At my end DoH/DoT don't work at all, shows cert chain is valid. Plain DNS works fine, if I disable it then nothing works.

[Honglan233]

This is weird! When plain DNS is on; Type: https DNS-server: Name.cloudflare-gateway.com:53 Time: 54 ms Answer: A: 188.114.97.1 (ttl=2400) A: 188.114.96.1 (ttl=2400) NOERROR Everything works and if i check security in my browser it says it is safe. When plain DNS is off, only encrypted: Nothing. I can't even get online! And nothing shows in the Adguard home logg.

I have the same problem today, which is strange

Same here. Did you find any solution? At my end DoH/DoT don't work at all, shows cert chain is valid. Plain DNS works fine, if I disable it then nothing works.

If you are in PRC, please note that the GFW blocks port 853 on most foreign servers, which is the main reason I found

[cx48]

This is weird! When plain DNS is on; Type: https DNS-server: Name.cloudflare-gateway.com:53 Time: 54 ms Answer: A: 188.114.97.1 (ttl=2400) A: 188.114.96.1 (ttl=2400) NOERROR Everything works and if i check security in my browser it says it is safe. When plain DNS is off, only encrypted: Nothing. I can't even get online! And nothing shows in the Adguard home logg.

I have the same problem today, which is strange

Same here. Did you find any solution? At my end DoH/DoT don't work at all, shows cert chain is valid. Plain DNS works fine, if I disable it then nothing works.

If you are in PRC, please note that the GFW blocks port 853 on most foreign servers, which is the main reason I found

After reading recent comments here. It looks like DoT doesn't work for most regardless If one is in PRC or using a server in different jurisdiction. Another issue is when if I turn off plain DNS and enforce encryption, it breaks everything (fails to make any query) Only DoT isn't working for most. For me DoH/DoQ is dead too. Ports are open, certs are valid, IP is set correctly.

What I did was, I installed Wireguard and added AdGuard DNS in my WG client config. If I'm outside or say I want encryption between clients. I enable Wireguard with ad blocking.