AdguardTeam / AdGuardHome

Network-wide ads & trackers blocking DNS server
https://adguard.com/adguard-home.html
GNU General Public License v3.0
25.32k stars 1.82k forks source link

Setting certificate from file instead the GUI #634

Closed via-justa closed 5 years ago

via-justa commented 5 years ago

I'm running AGH on docker-compose with the official release. I'm using Caddy as a frontend proxy + let's encrypt client. I would like to share the certificate I get from Caddy and use it for DoT instead of updating the certificate every time it gets rotated.

Having an option to point to a file in the file system to get the certificate will allow mounting the certificates from Caddy. You can see my implementation here

ameshkov commented 5 years ago

Got it, thank you for the feature request!

While we're considering it and waiting for people to vote on this feature request, there is a temporary solution, that would require some scripting on your side. You'll need to stop AGH, change the certificate in AdGuardHome.yml, and start AGH back.

via-justa commented 5 years ago

If anyone else has that need, I created a wrapper that implements automatic certificates using let's encrypt. https://github.com/via-justa/Adguard-home

ameshkov commented 5 years ago

@via-justa that's awesome! I guess we should consider providing let's encrypt integration natively.

via-justa commented 5 years ago

@ameshkov as of now, I couldn't find a let's encrypt go package that supports let's encrypt DNS-01 challenge so the implementation will be limited to HTTP challenge with them and it won't work if you're behind an FW, that's why I didn't use the builtin packages. My next task will be to implement dynamic DNS registration so it would be a one stop shop for everything DNS related. If I'll have the time, I'll see if I can get it to work with the acme package (I think that it does support DNS-01 challenge) and let you know. Maybe you'll find some insperation from it :)

adrianrudnik commented 5 years ago

Just had the same problem using docker. Not sure integration of LetsEncrypt will solve anything as certbot is widely available and easy to use (and has DNS plugins for many service providers like cloudflare, digitalocean and such).

I think it would be awesome if you could just provide a path to a chain and key file. Keep the text inputs in the admin GUI, but instead of storing them in the JSON, just save the files into something like ./conf/AdGuardHome.fullchain.pem and ./conf/AdGuardHome.key.pem and reload/reread them from there. Maybe even move it to ./ssl or ./certs.

That solves alot of use cases:

In addition to this:

alexsannikov commented 5 years ago

I agree the way to use SSL certificate file instead of .yaml settings file.

via-justa commented 5 years ago

As this product is for home users and not for power users like us, it should have a user friendly solution, using a file require the user to understand how certificates works and how to get them and export them in the right way (e.g. pem files) and with the right permissions. Integrating Let's Encrypt will allow the regular user have the benefits of SSL without the need to understand how the mechanism works. Adding a default DDNS service like xip.io or duck dns will also remove the need to create the DNS name and will, in theory, provide the option to enable DoT with a tick box same as enabling the filters or DHCP.

In my opinion, using a file will be much less user friendly. But I agree that the key should not be visible in clear text via the web interface.

Best regards, Nir Tal


From: alexsannikov notifications@github.com Sent: Tuesday, March 26, 2019 2:04:43 PM To: AdguardTeam/AdGuardHome Cc: via-justa; Mention Subject: Re: [AdguardTeam/AdGuardHome] Setting certificate from file instead the GUI (#634)

I agree the way to use SSL certificate file instead of .yaml settings file.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/AdguardTeam/AdGuardHome/issues/634#issuecomment-476619864, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AYh12kkYwFFwITXSe_BI3jWbUkfP60_7ks5vahrrgaJpZM4bnOa8.

adrianrudnik commented 5 years ago

@via-justa I'm not sure labeling it for home users or integrate LetsEncrypt will solve anything.

Using it at home (raspberry/pihole whatever) has no requirement for SSL except outbound and there is no reason why a home user would go through the hassle to encrypt LAN DNS queries.

LetsEncrypt would just introduce alot of use cases, dependencies and require alot of technical knowledge. You need to setup DDNS, you need to expose the proper ports (if you even can and the router gives you the options) and route them to the correct device. Otherwise the http challenge will not work. Installing or self signing a certificate file is the first tutorial you can find besides propper port forwarding when it comes to guides.

Switching the GUI to inputs and storing the input into files would change nothing UI wise right now and give any other user the option to configure the service properly.

via-justa commented 5 years ago

@adrianrudnik You can do it without opening ports, you can use the DNS-01 challenge as you can see in my implementation (I'm running it via caddy client). In addition, as far as I can see, you'll need DDNS or a domain and public IP never the less so I'm trying to see how removing the need to worry about the certificate creates use cases and not reduce them. Running DoT over a self-signed certificate is as useful as running a pure DNS, that's why the AdGuard guys don't allow it.

I can think of a few reasons why a home user will want to use DoT and not all of them use Pi, running it on DigitalOcean is as easy if not even easier than running it on a Pi. I can tell you that the main reason I like to implement it is to make sure my ISP is not playing with my DNS results and I'm running it externally.

As I see it, if you work with a file, there are too many changes that need to be implemented and too many things that the user can do wrong when providing the certificate (and as it's not via the GUI, he won't get the indication of what's wrong). In my opinion, it's not a good idea but it's not my decision, I'm a user like you :smile:

rubenverhoef commented 5 years ago

I really like the ability to select an file, this because i'm having an Nginx server with reverse proxy set to the adguard home. My Nginx server (jail) is handling the certificates for all (sub)domains. So if i just can point from AdGuard Home to the location my Nginx server has put the files it would be great!

ibksturm commented 5 years ago

vote +1

anindyamaiti commented 5 years ago

I too think that an option to use certificate file path would be simple enough for all DoH users (Let's Encrypt or otherwise). If 'home' users are smart enough to copy-paste contents of those files, they sure can enter a path to those files instead.

vt0r commented 5 years ago

For now, until this feature is developed, I'm using a simple Ruby script to replace the key and cert in the YAML files with the updated contents. After reading this thread, I realized maybe I should make it more universal and share, so here it is for anyone interested:

https://github.com/vt0r/adguardhome_certinjector

I've only tested it on Ruby 2.5.1, but I don't think I used any new methods that would prevent using a much older release. I also only used built-ins to make it work on most system Ruby installs.