Pihole v6 not using trusted certificates
Hi
For me the pihole v6 is not connecting at all, due to changes in pihole, most of the users will now have a selfsigned cert and https mode instead of http, I guess that's the problem too for me, how can I enable connections to unverified (seflsigned) https certs?
Also a little side note, I think in piholev6 it's not called api password, it's just the login password, except one specifically creates an app passwort.
Solution:Jump to solution
OMG I screwed up and used
fetch instead of fetchWithTrustedCertificatesAsync in the factory35 Replies
Thank you for submitting a support request.
Depending on the volume of requests, our team should get in contact with you shortly.
⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)
Frequently Asked Questions | Homarr documentation
Can I install Homarr on a Raspberry Pi?
You should trust the certificate using this: https://homarr.dev/docs/management/certificates/
Certificates | Homarr documentation
On this page you can manage your trusted certificates.
Can you post your logs? Would be useful to us to confirm that the certificate is self signed and the issue.
Regarding the change from api-key to passwords, from our docs:
Please note, that in v6 of PiHole you no longer specify an API key, but instead either a password or application password. We suggest to use the application password when possible.
https://homarr.dev/docs/integrations/dns#piholeDNS | Homarr documentation
Homarr allows the integration of DHS-holes to control them and display their stats.
perfect, was just confused, because it's still called API-Key on the UI, but not a problem for me ^^
done, wow that's awesome, to be able to trust certs directly via UI!
Though I could successfully import the CA cert, that did not solve my issue :/
Did you wait a bit or manually run the task?
It should work if you imported the correct certificate
get this in browser console, does that help?
No, it does not help
What certificate did you import? (do not upload, just say how you obtained it)
the tls_ca.crt
downloaded via sftp from /etc/pihole
And this is what the webserver of PiHole uses?
Does
webserver.api.tls.cert exist (see https://docs.pi-hole.net/api/tls/#using-your-own-certificate )?no
And does this certificate, you downloaded, match with the one your browser shows when accessing PiHole?
yeah matches.
though I'm a bit confused, normally such integrations take some seconds to load, however if I hit create integration/test integration, it IMMEDIATELY goes to that error
Can you open the container shell and perform a wget to PiHole? Is the response as expected or is there some proxy response?
Yeah definitely:
Can you post the output of "admin"?
cat admin@Meierschlumpf can you take another look?
Are you sure that we properly fetch?
Solution
OMG I screwed up and used
fetch instead of fetchWithTrustedCertificatesAsync in the factoryWill be fixed tomorrow evening
There is also another problem once the fetch --> withTrustedCertificates is fixed:
Hostname/IP does not match certificate's altnames: Host: localhost. is not in the cert's altnames: DNS:pi.hole
Their certificate only allows pi.hole as domainbut that's something homarr side, not something I'd have to change right?
No that's something pi-hole site 😐
but I guess most people would have this problem right?
Is it possible to get a don't verify https cert chckbox?
Or what would need to be changed pihole side?
Their certificate would need to be a wildcard certificate I would guess. But maybe it's configurable somehow?
Okay there is a field
webserver.domain in their toml configuration. I'll test if it is possible to define multiple domains
Nope not possible to define multiple domains. Not even * is possible...
We'll need to find a good solution for this, because I don't like to disable the full verification. Maybe we can disable just the domain check for all uploaded custom certificates, but I'll need to research what security implication this hasYeah agreed!
Thanks for looking into this quickly
@Meierschlumpf
Thanks for the v1.10 release, I just updated and checked, though I still cannot create a new pi-hole integration
Here the new log:
Does your certificate contain the ip
10.10.20.15 as allowed record? If not you'll need to change that. As I said we would need to reduce security if we want to ignore the domain of the certificates, which we don't wantas pihole autogenerates this I don't have that much influence over this, but seems like only pi.hole is made valid:
Also I don't really think I will be the only one to encounter this, as nearly everywhere pihole autogenerated self-signed ssl certs.
Yes I know, as I said, we can not really do something about it except removing some security aspects.
As Pi-Hole previously was http only I think it might make sense to just add one or two checkboxes to ignore domain and or ignore certificate errors altogheter
yeah I guess the option for the domain check could be configurable, though importing the CA_cert was actually quite easy, though I leave that up to you to decide.
I've created an issue for it:
https://github.com/homarr-labs/homarr/issues/2553
GitHub
feat: add checkboxes to remove certificate checks · Issue #2553 · h...
Describe the feature you'd like to request Add two new checkboxes to the integration creation page Checkbox to ignore certificate check altogether with rejectUnauthorized: false Checkbox to dia...
perfect, thanks