AdGuardHome icon indicating copy to clipboard operation
AdGuardHome copied to clipboard

Published 20 hours ago verified publisher icon AdguardTeam

Let's Encrypt certificate chain is invalid

Open pacmac34 opened this issue 1 year ago • 2 comments

Prerequisites

  • [x] I have checked the Wiki and Discussions and found no answer

  • [X] I have searched other issues and found no duplicates

  • [X] I want to report a bug and not ask a question

Operating system type

Linux, Other (please mention the version in the description)

CPU architecture

AMD64

Installation

GitHub releases or script from README

Setup

On one machine

AdGuard Home version

v0.107.28

Description

What did you do?

Copied fullchain and key certs to /etc/letsencrypt Added the path to Settings -> Encryption Settings -> Certificates and Private key

Certificate status -> Certificate chain is invalid (it shows the certificate details correctly, the right hostname, expire date, etc) Private key status -> This is a valid RSA private key

I have downloaded CA and intermediate certificates from Let's Encrypt URL, copied to /usr/share/ca-certificates/extra/ Run dpkg-reconfigure ca-certificates Both CA and intermediate certificates were imported. I have seen '2 added' message.

Expected result

Certificate chain should be valid.

Actual result

Certificate chain is invalid

Screenshots (if applicable)

https://i.imgur.com/Mgi2Bjm.png

Additional information

I have a pfsense firewall facing WAN interface I have a L3 switch acting as router for a VLAN where the AdGuard server is. Bind is acting as resolver for my internal domain and forwarding the rest of queries to AdGuard Adguard.internaldomain.com resolves to an internal address, the bind on pfsense has a configured zone for it.

AdGuard VM is running Ubuntu.

Linux adguard 5.19.0-38-generic #39-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 17 17:33:16 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

pacmac34 avatar Apr 13 '23 09:04 pacmac34

Having exact same problem..

Turab avatar Apr 30 '23 23:04 Turab

I had the same issue. Could solve it by fixing file permissions. In my case I granted read permission to the user adguardhome for fullchain.pem and privkey.pem as well as to all directories the these files are in. Note that the executable right is also necessary on all sub an directories.

tipuraneo avatar Jan 17 '24 08:01 tipuraneo

The way I understand it, in part from personal experience, it is possible for a 3-paragraph Let's Encrypt certificate to not be recognised by AdGuard Home. Removing the bottom paragraph, leaving the upper 2 intact, has often worked, but not 100% of the time.

DandelionSprout avatar Mar 25 '24 09:03 DandelionSprout

It is likely that your OS's CA certificate package needs updating, although these kinds of issues can sometimes also be caused by unsynchronized time settings.

ainar-g avatar Mar 25 '24 16:03 ainar-g