CERTIFICATE_DOMAIN_MISMATCH warning behind reverse proxy

When setting rev_proxy = true and port = "8001,[::]:8001" (that is no "s" for TLS), I get a warning of CERTIFICATE_DOMAIN_MISMATCH: " SSL/TLS certificate /etc/pihole/tls.pem does not match domain mysubdomain.mydomain.tld!"

It would be great if Pi-Hole could recognise that it doesn't need to concern itself with TLS because it's handled by a reverse proxy.

It can, but not in the particular setup you have. The certificate is only checked when webserver.tls.cert is set, exists, and is readable. If you set this to an empty string, Pi-hole will not attempt to generate and/or check the certificate. Otherwise, you can also set webserver.domain to the intended domain and remove the file specified in webserver.tls.cert to have Pi-hole create a new self-signed certificate with the correct domain.

But I see you point, we can also check for the absence of the letter s in the webserver.port setting and skip any TLS checking altogether in this case, too. Consider this to be somewhere on my TODO list now.

Thanks for taking a look! Yeah I found the code that emits the warning and noticed that I could delete the file or change the setting (after making this post) so that would be a good workaround, but yeah I think Pi-Hole technically already has everything it needs to know without the workaround.

I was gonna make a PR, but got stuck down a rabbit hole because I've got GCC 14 (which doesn't compile at the moment). After I'd fixed the errors I realised I couldn't figure out how to run unit tests locally and alpine doesn't have GCC 14 yet (for the container) so I gave up :sweat_smile: :sweat_smile:

Thanks for considering it!

A very simple approach can be found on FTL branch tweak/cert_no_tls now.

Yup, can confirm this makes the error disappear! Thanks for implementing it so quickly here, too! :heart_eyes: