Homarr•10mo ago

Pihole v6 not using trusted certificates

Hi
For me the pihole v6 is not connecting at all, due to changes in pihole, most of the users will now have a selfsigned cert and https mode instead of http, I guess that's the problem too for me, how can I enable connections to unverified (seflsigned) https certs?

Also a little side note, I think in piholev6 it's not called api password, it's just the login password, except one specifically creates an app passwort.

Solution

OMG I screwed up and used

fetch

fetch

instead of

fetchWithTrustedCertificatesAsync

fetchWithTrustedCertificatesAsync

in the factory

Jump to solution

Cakey Bot•3/6/25, 8:13 PM

Thank you for submitting a support request.

Depending on the volume of requests, our team should get in contact with you shortly.

Please include the following details in your post or we may reject your request without further comment:

Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log)
Operating system (Unraid, TrueNAS, Ubuntu, ...)
Exact Homarr version (eg. 0.15.0, not latest)
Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format)
Other relevant information (eg. your devices, your browser, ...)

Frequently Asked Questions | Homarr documentation

Can I install Homarr on a Raspberry Pi?

Manicraft1001•3/6/25, 8:15 PM

You should trust the certificate using this: https://homarr.dev/docs/management/certificates/

Certificates | Homarr documentation

On this page you can manage your trusted certificates.

Manicraft1001•3/6/25, 8:15 PM

Can you post your logs? Would be useful to us to confirm that the certificate is self signed and the issue.

Meierschlumpf•3/6/25, 8:16 PM

Regarding the change from api-key to passwords, from our docs:

https://homarr.dev/docs/integrations/dns#pihole

DNS | Homarr documentation

Homarr allows the integration of DHS-holes to control them and display their stats.

CrazyWolf13OP•3/6/25, 8:17 PM

message.txt2.05KB

MMeierschlumpf Regarding the change from api-key to passwords, from our docs: `Please note, tha...

CrazyWolf13OP•3/6/25, 8:17 PM

perfect, was just confused, because it's still called API-Key on the UI, but not a problem for me ^^

MManicraft1001 You should trust the certificate using this: https://homarr.dev/docs/management/...

CrazyWolf13OP•3/6/25, 8:20 PM

done, wow that's awesome, to be able to trust certs directly via UI!

Though I could successfully import the CA cert, that did not solve my issue :/

Manicraft1001•3/6/25, 8:21 PM

Did you wait a bit or manually run the task?

Manicraft1001•3/6/25, 8:21 PM

It should work if you imported the correct certificate

CrazyWolf13OP•3/6/25, 8:22 PM

get this in browser console, does that help?

Manicraft1001•3/6/25, 8:23 PM

No, it does not help

Manicraft1001•3/6/25, 8:23 PM

What certificate did you import? (do not upload, just say how you obtained it)

CrazyWolf13OP•3/6/25, 8:23 PM

the tls_ca.crt

CrazyWolf13OP•3/6/25, 8:24 PM

downloaded via sftp from /etc/pihole

Manicraft1001•3/6/25, 8:25 PM

And this is what the webserver of PiHole uses?

MManicraft1001 And this is what the webserver of PiHole uses?

CrazyWolf13OP•3/6/25, 8:25 PM

https://docs.pi-hole.net/api/tls/#adding-the-ca-to-your-browser

Manicraft1001•3/6/25, 8:26 PM

Does exist (see https://docs.pi-hole.net/api/tls/#using-your-own-certificate )?

MManicraft1001 Does ``webserver.api.tls.cert`` exist (see https://docs.pi-hole.net/api/tls/#usi...

CrazyWolf13OP•3/6/25, 8:28 PM

Manicraft1001•3/6/25, 8:28 PM

And does this certificate, you downloaded, match with the one your browser shows when accessing PiHole?

MManicraft1001 And does this certificate, you downloaded, match with the one your browser shows...

CrazyWolf13OP•3/6/25, 8:33 PM

yeah matches.

CrazyWolf13OP•3/6/25, 8:33 PM

though I'm a bit confused, normally such integrations take some seconds to load, however if I hit create integration/test integration, it IMMEDIATELY goes to that error

Manicraft1001•3/6/25, 8:34 PM

Can you open the container shell and perform a wget to PiHole? Is the response as expected or is there some proxy response?

MManicraft1001 Can you open the container shell and perform a wget to PiHole? Is the response a...

CrazyWolf13OP•3/6/25, 8:38 PM

Yeah definitely:

Manicraft1001•3/6/25, 8:39 PM

Can you post the output of "admin"?

Manicraft1001•3/6/25, 8:39 PM

CrazyWolf13OP•3/6/25, 8:40 PM

message.txt35.48KB

Manicraft1001•3/6/25, 8:40 PM

@Meierschlumpf can you take another look?
Are you sure that we properly fetch?

Solution

Meierschlumpf•3/6/25, 9:22 PM

OMG I screwed up and used

fetch

fetch

instead of

fetchWithTrustedCertificatesAsync

fetchWithTrustedCertificatesAsync

in the factory

Meierschlumpf•3/6/25, 9:23 PM

Will be fixed tomorrow evening

Meierschlumpf•3/6/25, 9:38 PM

There is also another problem once the fetch --> withTrustedCertificates is fixed:

Their certificate only allows as domain

CrazyWolf13OP•3/6/25, 9:38 PM

but that's something homarr side, not something I'd have to change right?

Meierschlumpf•3/6/25, 9:39 PM

No that's something pi-hole site

CrazyWolf13OP•3/6/25, 9:40 PM

but I guess most people would have this problem right?
Is it possible to get a don't verify https cert chckbox?

Or what would need to be changed pihole side?

Meierschlumpf•3/6/25, 9:41 PM

Their certificate would need to be a wildcard certificate I would guess. But maybe it's configurable somehow?

Meierschlumpf•3/6/25, 9:44 PM

Okay there is a field in their toml configuration. I'll test if it is possible to define multiple domains

Meierschlumpf•3/6/25, 10:09 PM

Nope not possible to define multiple domains. Not even

is possible...
We'll need to find a good solution for this, because I don't like to disable the full verification. Maybe we can disable just the domain check for all uploaded custom certificates, but I'll need to research what security implication this has

MMeierschlumpf Nope not possible to define multiple domains. Not even `*` is possible... We'll ...

CrazyWolf13OP•3/7/25, 4:53 AM

Yeah agreed!
Thanks for looking into this quickly

CrazyWolf13OP•3/9/25, 6:46 PM

@Meierschlumpf
Thanks for the v1.10 release, I just updated and checked, though I still cannot create a new pi-hole integration

Here the new log:

Meierschlumpf•3/9/25, 7:22 PM

Does your certificate contain the ip as allowed record? If not you'll need to change that. As I said we would need to reduce security if we want to ignore the domain of the certificates, which we don't want

MMeierschlumpf Does your certificate contain the ip `10.10.20.15` as allowed record? If not you...

CrazyWolf13OP•3/9/25, 7:25 PM

as pihole autogenerates this I don't have that much influence over this, but seems like only pi.hole is made valid:

Also I don't really think I will be the only one to encounter this, as nearly everywhere pihole autogenerated self-signed ssl certs.

Meierschlumpf•3/9/25, 7:27 PM

Yes I know, as I said, we can not really do something about it except removing some security aspects.
As Pi-Hole previously was http only I think it might make sense to just add one or two checkboxes to ignore domain and or ignore certificate errors altogheter

CrazyWolf13OP•3/9/25, 7:30 PM

yeah I guess the option for the domain check could be configurable, though importing the CA_cert was actually quite easy, though I leave that up to you to decide.

Meierschlumpf•3/9/25, 7:40 PM

I've created an issue for it:
https://github.com/homarr-labs/homarr/issues/2553

GitHub

feat: add checkboxes to remove certificate checks · Issue #2553 · h...

Describe the feature you'd like to request Add two new checkboxes to the integration creation page Checkbox to ignore certificate check altogether with rejectUnauthorized: false Checkbox to dia...

CrazyWolf13OP•3/9/25, 7:43 PM

perfect, thanks

Thank you for submitting a support request.

Depending on the volume of requests

, our team should get in contact with you shortly

Please include the following details in your post or we may reject your request without further comment:

Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log)
Operating system (Unraid, TrueNAS, Ubuntu, ...)
Exact Homarr version (eg. 0.15.0, not latest)
Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format)
Other relevant information (eg. your devices, your browser, ...)