I get the error in Pihole every day "SSL/TLS certificate /etc/pihole/server.pem does not match domain" and its not a huge deal and I saw a post mentioning it about a month ago but no resolution. I have a domain and use custom subdomain certs for all my devices. I have the Cert assigned to Pihole.{anydomain}.com so it is not a blanket (*.anydomain.com) SSL cert. Why would I still be getting this error?
Most likely bc the domain in the browser URL doesnt match the one in the cert (Subject CN and Subject Alternative Name).
Can check with below:
sudo openssl x509 -text -noout -in /etc/pihole/server.pem
And below:
$ pihole-FTL --help
[..]
TLS X.509 certificate parser:
Parse the given X.509 certificate and optionally check if
it matches a given domain. If no domain is given, only a
human-readable output string is printed.
If no certificate file is given, the one from the config
is used (if applicable). If --read-x509-key is used, details
about the private key are printed as well.
Usage: pihole-FTL --read-x509 [certfile] [domain]
Usage: pihole-FTL --read-x509-key [certfile] [domain]
I just ran the command you posted and the dns and URL does in fact match. Error persists.
I just went through and recreated the certificates for my pihole though lets encrypt and cloudflare to make sure the dns is correct. Same issue. CERTIFICATE_DOMAIN_MISMATCH
Could you share the output of:
pihole-FTL --read-x509 | grep "ame\|on "
pihole-FTL --config webserver.domain
pihole-FTL --config webserver.tls.cert
pihole-FTL --config webserver.port
Could also inspect the cert thats presented via web with below:
openssl s_client -connect <PIHOLE_IP>:<WEB_PORT> -servername <DOMAIN_NAME> </dev/null 2>/dev/null | openssl x509 -noout -text
Eg:
$ openssl s_client -connect 10.0.0.5:443 -servername pi.hole </dev/null 2>/dev/null | openssl x509 -noout -text
[..]
Subject: CN = pi.hole
[..]
X509v3 Subject Alternative Name:
DNS:pi.hole
I am sorry for the delay in response. I ran all the coomands you asked for, but how do I safely post that here. It has all my domain info and keys listed.
I only suggested to inspect the domain(s) in the offered web cert (Subject common name & SAN).
I did not expect you to post the full output.
For above two, just do like you did before:
Are you running Pi-hole with a public accessible domain?
It is not publically accessable. I have my domain through cloudflare and I have a certificate manager that talks to cloudflare to keep my certs updated. My domain is just locally to my internal network.
I've just updated to pi-hole 6 and followed the instructions to mod the pihole.toml with the ssl cert location and then restarted pi-hole. Web browser reports certificate good, but pi-hole reports error:
CERTIFICATE_DOMAIN_MISMATCH SSL/TLS certificate /etc/pihole/ssl/combined.pem does not match domain pi.hole!
Does this have to do with the portion of pihole.toml:
piholePTR = "PI.HOLE"
Perhaps that should be changed to:
piholePTR = "HOSTNAMEFQDN"
?
Edit: looks like that worked for me to resolve the "mismatch" error after restarting pi-hole.
This issue is still there (debug token is: https://tricorder.pi-hole.net/JyhcM7Xg/) My understanding that will be a code change to fix it?
Sorry to reopen an old thread (I’m on the spectrum, so any kind of error/warning message triggers that itch… ha ha ha)
After looking through the C source code, I think I might have a guess as to why some users are still seeing this error.
I own the public/internet domain: zacwolf.com, so I named my private/intranet LAN lan.zacwolf.com, essentially an inward-facing “private” subnet of my outward-facing “public” domain.
In source file: FTL/src/webserver/x509.c
The function at line 318:
static bool check_wildcard_domain(const char *domain, char *san, const size_t san_len)
…I believe it is expecting the domain that is passed to the function to be either a single-word domain (i.e., pihole, lan, etc.) or at most a two-word “root domain” format [i.e., pihole.net], so the fact that I’m using, what is essentially a three-word “subdomain” AS my internal domain name (if I’m reading the C code at line 322 correctly), the code expects my server name to be "lan"? I’m not fluent enough in C to know for sure, but based on the comment above the line, I believe that’s what’s happening? That’s just a guess, though.
I generated my certificate through Let’s Encrypt for the wildcard “*.lan.zacwolf.com” inward-facing domain, because I use a different certificate for my outward-facing public root domain “*.zacwolf.com”. So the certificate I use for my PiHole is valid and is only ever served to devices on my LAN, so there are no actual SSL/TLS problems; it just causes the error message at startup.
I would say this is a low-priority “cosmetic” type of issue, as how many people are using a 3+ word domain name, THOUGH it might be a more common international use case, i.e., if I were in the UK, my root domain might be something like .co.uk, vs .com, but again it’s probably a rare edge-case. 
-Zac