AdGuardHome icon indicating copy to clipboard operation
AdGuardHome copied to clipboard

Published 20 hours ago β€’ verified publisher icon AdguardTeam

Encryption settings: validating certificate pair: certificate has no IP addresses, this may cause issues with DNS-over-TLS clients

Open kokesh opened this issue 2 years ago β€’ 21 comments

Prerequisites

  • [X] I have checked the Wiki and Discussions and found no answer

  • [X] I have searched other issues and found no duplicates

  • [X] I want to report a bug and not ask a question

Operating system type

Linux, Other (please mention the version in the description)

CPU architecture

AMD64

Installation

Snap

Setup

On one machine

AdGuard Home version

0.107.18

Description

Everything was fine until yesterday. Using AGH as a Private DNS on Android, it stopped working suddenly.

I've got the following under certificate settings:

validating certificate pair: certificate has no IP addresses, this may cause issues with DNS-over-TLS clients The certificates are fine and working LetsEncrypt. I've even renewed them to try if it helps somehow, it doesn't.

kokesh avatar Nov 09 '22 09:11 kokesh

Using Edge version with DuckDNS, the same warning but everything works fine (Android 12). Let's Encrypt cert also.

CDzungx avatar Nov 09 '22 12:11 CDzungx

This is the error that I was just coming to the issues to ask about! I am seeing the same thing when trying to setup DoH and DoT.

I haven't tried the edge version, although I'm not really inclined to do so.

scallaway avatar Nov 09 '22 13:11 scallaway

This is the error that I was just coming to the issues to ask about! I am seeing the same thing when trying to setup DoH and DoT.

I haven't tried the edge version, although I'm not really inclined to do so.

If your DNS work fine, just ignore that ~~error~~ warning.

CDzungx avatar Nov 09 '22 13:11 CDzungx

This is the error that I was just coming to the issues to ask about! I am seeing the same thing when trying to setup DoH and DoT. I haven't tried the edge version, although I'm not really inclined to do so.

If your DNS work fine, just ignore that ~error~ warning.

Yeah my DNS is working fine, although when I go to https://1.1.1.1/help I see the following;

Connected to 1.1.1.1 Yes
Using DNS over HTTPS (DoH) Yes
Using DNS over TLS (DoT) No
Using DNS over WARP No

So I have a feeling that there is still something a bit wrong with the certificate, as I was really looking to get DoT enabled.

scallaway avatar Nov 09 '22 13:11 scallaway

What do you mean πŸ˜‚πŸ˜‚ What can be wrong with your Cert. I'm using my DNS and all is No (since I don't use Cloudflare DNS). I think it's about the DNS setting. You use DoH for Cloudflare in your DNS setting?

CDzungx avatar Nov 09 '22 14:11 CDzungx

I use a FRITZ!Box 5530 Fiber and my DNS stopped working entirely ever since this error message has popped up.

Everything was running fine under v0.107.17 but then I upgraded to v0.107.18 and it broke. I tried the edge version, I tried going back to v0.107.17, without any form of success.

Is there any solution to this issue? I'm using Let's Encrypt certificates to secure the instance. AdGuard is running on a VPS and only allows connections from my clients.

ghost avatar Nov 09 '22 20:11 ghost

I use a FRITZ!Box 5530 Fiber and my DNS stopped working entirely ever since this error message has popped up.

Everything was running fine under v0.107.17 but then I upgraded to v0.107.18 and it broke. I tried the edge version, I tried going back to v0.107.17, without any form of success.

Is there any solution to this issue? I'm using Let's Encrypt certificates to secure the instance. AdGuard is running on a VPS and only allows connections from my clients.

Maybe try other DDNS services like DuckDNS for now. Cuz my DuckDNS works fine.

CDzungx avatar Nov 10 '22 04:11 CDzungx

Let me change my statement a bit. The DNS server is working, however DoT is causing problems. The FRITZ!Box (my router) can't seem to handle it anymore. I haven't followed the changelogs of the last releases, but something must have changed.

My iPhone and my MacBook which are set up via .mobileconfig using DoT do not have any problems. Only my router can't handle it and therefore all devices on the network.

What I did as a workaround is to remove the restriction to my clients (home network, iPhone and MacBook). So my DNS is now accessible to everyone, but at least it works via normal DNS, so no DoT at the moment.

ghost avatar Nov 10 '22 10:11 ghost

Same error notification after updating to v107.18 before this update everything was fine!

BobWs avatar Nov 10 '22 14:11 BobWs

@CDzungx

You use DoH for Cloudflare in your DNS setting?

I have both DoH and DoT setup in my DNS settings pointing at Cloudflare. Which is why I believe the IP address problem to be a cause of my issues as well.

scallaway avatar Nov 10 '22 14:11 scallaway

I'm having this issue on v107.17 also.

bluetoothfx avatar Nov 10 '22 17:11 bluetoothfx

I'm having this issue on v107.17 also.

Can confirm. v107.17 shows the message, v107.16 doesn't.

ghost avatar Nov 10 '22 18:11 ghost

Just to clarify what my setup is: Tiny HP thin client running Ubuntu with Homeassistant running on it, later I've added Adguard running beside HA. I've got a domain, pointed to my home public IP via Cloudflare nameservers. No proxying, or anything like that on Cloudflare side. My modem does NAT to my little Linux machine for web, Homeassistant and Adguard. All was fine until few days ago, as I wrote in this issue. I've tried now to access use Private DNS via duckdns and also no-ip. It is the same thing. So probbaly nothing being caused by some change on Cloudflare.

Except this Adguard works perfectly.

kokesh avatar Nov 10 '22 19:11 kokesh

I have the same issue with a new docker container running version v107.18. It just doesn't let me save the certificate paths for my Let's Encrypt certificates.

I can confirm that in v107.16 image everything works fine.

Szene avatar Nov 11 '22 01:11 Szene

I've switched to v0.108.0-a.382+167b1125 (Edge) version via Snap. No change whatsoever. Everything works, except DNS-over-TLS.

kokesh avatar Nov 11 '22 14:11 kokesh

Please return everything as it was in V0.107.16 because I can’t use a new version due to this error and I had to roll it back ..

Eyeborgs avatar Nov 12 '22 00:11 Eyeborgs

It just doesn't let me save the certificate paths for my Let's Encrypt certificates

Saved normally on Edge version

Everything works, except DNS-over-TLS.

Mine DoT working fine, Edge version too. (No problem for both wildcard cert and normal cert)

CDzungx avatar Nov 12 '22 09:11 CDzungx

Having the same issue as well. Trying to refresh the certificates but it didn't help. I had to paste the certificate contents because otherwise also normal DNS over port 53 wasn't working.

DNS over ToH seems to work only with some devices while DNS over HTTPS does not work. Still, the certificates seem to be fine.

guidocioni avatar Nov 14 '22 09:11 guidocioni

I have the same error

image

Operating system type Linux, Other (please mention the version in the description)

CPU architecture ARM - Raspery Pi 4

Installation auto install Skript

Setup On one machine

AdGuard Home version v0.107.18

manfahrer avatar Nov 15 '22 16:11 manfahrer

Current edge version v0.108.0-a.383+93882d68

Got it working by sudo certbot --force-renewal --preferred-chain="ISRG Root X1" renew

  • Google apparently requires you to use X1.

kokesh avatar Nov 19 '22 11:11 kokesh

  • Google apparently requires you to use X1.

Isn't the default (R3) using X1? πŸ˜‚ But good that it works for you. https://letsencrypt.org/certificates/ image

CDzungx avatar Nov 20 '22 05:11 CDzungx

It's a little bit changed in v0.107.20, now the message is visually less alarming. image

Szene avatar Dec 09 '22 20:12 Szene

Closing this issue as completed. Please re-open if needed.

Birbber avatar Dec 27 '22 15:12 Birbber

I confirm that the same error is present! If you use a certificate for an ip address, then the error disappears, but for some reason it does not work with a domain certificate. I use Adguard Home on an asus router with merlin firmware.

filisdiez avatar Jan 18 '23 21:01 filisdiez

Same here. Installed Adguard Home on VM with Debian 11, on my Proxmox. Configured static dhcp ip for ADH on my MikroTik RB4011

PVasileff avatar Jan 22 '23 05:01 PVasileff

Hi there

My adguard home on synology nas claim same issue :

Attention: validating certificate pair: certificates has no IP addresses; DNS-over-TLS won't be advertised via DDR

I'm using DNS-over-HTTPS as upstream, so i think i don't need to take care about this half warning message.

What do you think about that ? Thanks

ghost avatar Jan 24 '23 23:01 ghost

Months later still same issue: Using Lets Encrypt (Elliptic Curve e384) OCSP - as wildcard cert Warning: validating certificate pair: certificates has no IP addresses; DNS-over-TLS won't be advertised via DDR

xkpx64 avatar Mar 05 '23 13:03 xkpx64

Same issue. AdGuard Home on a VPS with a domain.

ericafterdark avatar Mar 13 '23 21:03 ericafterdark

Same error on Windows version. nothing wrong with certifcates....

stylemessiah avatar Mar 15 '23 08:03 stylemessiah

Same issue over here.

Issam2204 avatar Mar 20 '23 17:03 Issam2204

Same here as well.

They could easily avoid this (assuming that the issue here is simply that Let's Encrypt certificates don't include I.P. addresses) by removing the disturbing verbiage and instead making a little checkbox underneath that says "advertise TLS via DDR" that is uncheckable if your certificate is from Let's Encrypt or any other service that doesn't include IP addresses, and give a little explanation next to the checkbox stating as such (IE: "TLS cannot advertise via DDR when certificates do not contain IP addresses"). Then people will at least understand that the "issue" is because of the cert that they chose and will thereby not be pissed off by scary words and flocking to the forum.

breathless19 avatar Mar 20 '23 19:03 breathless19