"Cannot verify server identity" Synology

Jiri_Fiala · May 11, 2017, 6:29am

When Pi-hole is active, I'm getting this from Safari like ten times an hour. What can I do? Thanks.

EDIT: many different pages do this, it's not limited to games.tiscali.cz.

kint · May 11, 2017, 6:43am

that is probably not an mistake of Pihole
you should be good by downloading the correct cerftificate

Jiri_Fiala · May 11, 2017, 6:53am

No, sorry. It happens on all devices in the household (iPhone, iPad, Macs, Windows 10 PC). If I disable Pi-hole, it goes away. I've clarified my post - it's not just this one server.

DanSchaper · May 11, 2017, 6:54am

Can you run pihole -d and get us the token from the debug script process? Thanks!

kint · May 11, 2017, 6:55am

probably you have to speak to an developer...

Jiri_Fiala · May 11, 2017, 7:38am

There you go: 8cub88dstk

Thanks! I do have VPN installed on the same machine as Pi-Hole (Synology NAS), to have the filtering even outside the LAN, but the same messages pop up even if it's disconnected and/or disabled.

DanSchaper · May 11, 2017, 7:43am

I've updated the topic to include that this is running in a Synology setup as we don't directly support that kind of installation, but we'll give it a try and see why you are getting this error.

Inside the Synology chroot, can you run

curl http://games.tiscalli.cz | head -n20
curl -I http://games.tiscalli.cz

And post the output from those commands.

Jiri_Fiala · May 11, 2017, 7:46am

New example, with VPN disabled. The site visited is washingtonpost.com

Jiri_Fiala · May 11, 2017, 7:48am

First command output:

root@Synology:/# curl http://games.tiscali.cz | head -n20
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 178 100 178 0 0 3154 0 --:--:-- --:--:-- --:--:-- 3178

301 Moved Permanently

nginx ----------

Second command output:

HTTP/1.1 301 Moved Permanently
Server: openresty
Date: Thu, 11 May 2017 07:48:26 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://games.tiscali.cz/
X-Nginx-Proxy: games1
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

DanSchaper · May 11, 2017, 7:50am

Your configuration is trying to redirect an https connection, normally this would hit the Pi-hole and be blocked, but your Synology is running on port 443 and trying to respond with its own certificate. The warning are valid as your browser is interpreting this as an attempt at a Man In the Middle attack.

You may want to post on the How do I install Pi-hole on a Synology NAS? - #149 by DL6ER thread to see if one of our Synology users has some suggestions on how to solve this. We can't really help as none of the developers has access to a Synology device to test on.

Sorry I couldn't have been of more help on this but it's beyond our abilities at this point.

Jiri_Fiala · May 11, 2017, 7:50am

I understand, thanks!

Jiri_Fiala · May 11, 2017, 6:47pm

I've dug out my old RPi 2 and installed PiHole onto that. Problem solved

mhickman · May 13, 2017, 6:53pm

Here's the solution for anyone else coming across this thread. Note this is for DSM 6.

The diskstation HTTPS web interface is on port 5001 by default. Port 443 simply redirects to 5001. You can change port 443 in the nginx configuration file (or comment out that server block) and PiHole will then be able to intercept the redirected ad requests.

The following are steps to change the port from 443 to 9443 (or choose another large number if you wish). You'll need to log into your Diskstation admin account via ssh or telnet to perform the following commands.

The command below will modify the following lines in /etc/nginx/nginx.conf:

listen 443 default_server ssl;
listen [::]:443 default_server ssl;

First, replace 443 with 9443 in /etc/nginx/nginx.conf.

$ sudo sed -i 's/$[ :]$443/\19443/' /etc/nginx/nginx.conf

Then send a HANGUP signal to the nginx process which tells it to reload its configuration file.

$ sudo kill -HUP $( cat /run/nginx.pid )

That should be all there is to it. You can verify the change worked by pointing your web browser to https://<your diskstation address>:9443. If the change worked it will redirect your browser to port 5001.

Update: The nginx.conf file is generated each time the system boots. To make this change permanent, the above commands should be added to /usr/local/etc/rc.d/S99pihole.sh. My S99pihole.sh looks like this:

#!/bin/sh

. /etc.defaults/rc.subr

case $1 in
        start)
                sed -i 's/\([ :]\)443/\19443/' /etc/nginx/nginx.conf
                kill -HUP $( cat /run/nginx.pid )
                /var/packages/debian-chroot/scripts/start-stop-status start
                chroot /volume1/@appstore/debian-chroot/var/chroottarget service cron start
                chroot /volume1/@appstore/debian-chroot/var/chroottarget service dnsmasq start
                chroot /volume1/@appstore/debian-chroot/var/chroottarget service lighttpd start
                chroot /volume1/@appstore/debian-chroot/var/chroottarget service pihole-FTL start
        ;;
        stop)
               	chroot /volume1/@appstore/debian-chroot/var/chroottarget service cron stop
                chroot /volume1/@appstore/debian-chroot/var/chroottarget service dnsmasq stop
                chroot /volume1/@appstore/debian-chroot/var/chroottarget service lighttpd stop
                chroot /volume1/@appstore/debian-chroot/var/chroottarget service pihole-FTL stop
                /var/packages/debian-chroot/scripts/start-stop-status stop
        ;;
        restart)
                $0 stop
                sleep 1
                $0 start
        ;;
        *)
                echo "Usage: $0 start|stop|restart"
        ;;
esac

Jiri_Fiala · May 14, 2017, 8:58am

Thanks! I've just installed PiHole onto my RPi2 but this will come in handy for anyone with the same issue.

mhickman · May 15, 2017, 6:24pm

No problem. Suggest marking the above post as the solution to your question.