PiHole - self signed certs of other devices in local network

rimmelchen · December 1, 2024, 10:24am

Hi all,

i got a little issue. I´m not understanding why this happens. Shouldn´t be related to Pihole, but seems to be.

First I installed it in a container. I tried to access the gui, won´t work.
After I couldn´t find out why, I thought it was a docker issue.

So I´ve installed a fresh ubuntu 22.04 Server, and installed pihole directly on it.

same behavior. no admin gui. i´ve tried to access from the hyperV machine where its hosted. and it works.
i tried to change the dns from my mac to pihole. admin gui works. internet works too.
but all other local server/machines doesn´t work anymore.

ping and ssh are working. https seems to be a problem. but ... not only for the fqdn, it happen with the ip address too.

curl: (60) SSL certificate problem: unable to get local issuer certificate

i absolutely don´t understand why.

pihole as dns -> internet and pihole gui works - local servers with self signed certs not.

any other dns / firewall / google -> internet and all local machines working - pihole not

as far as I know, pihole is not a transparent proxy, it resolves only. from my pov there is no reason for this behavior.

Maybe anyone has an idea

Greetings

buntspexxt · December 2, 2024, 3:17pm

Does pihole know the hostnames that you want to resolve? If not, enter them under "Local DNS Records"

rimmelchen · December 2, 2024, 7:25pm

Hi,
an IP Address isn´t a hostname. so at least i found the issue today.

it was not pihole, it is google chrome. for some reason it isn´t able to trust self signed certs.

Greetings

DanSchaper · December 2, 2024, 7:41pm

You would have to add the Certificate Authority that signed the cert as a trusted CA.

deHakkelaar · December 2, 2024, 8:11pm

It is:

$ openssl s_client -connect 10.0.0.5:443 </dev/null 2>/dev/null | openssl x509 -noout -text
[..]
        Issuer: CN = pi.hole
        Validity
            Not Before: Jan  1 00:00:00 2001 GMT
            Not After : Dec 31 23:59:59 2030 GMT
[..]
        Subject: CN = pi.hole
[..]
            X509v3 Subject Alternative Name:
                DNS:pi.hole

EDIT: For SNI, you can use the -servername argument eg:

openssl s_client -connect 10.0.0.5:443 -servername pi.hole </dev/null 2>/dev/null | openssl x509 -noout -text

Above is a bit similar as how a browser does it after it resolved the domain to an IP via DNS.
It connects via IP and asks the web server for content for the -servername domain.

Below -k argument skips cert validation:

$ curl -Ikv https://10.0.0.5/
[..]
* Server certificate:
*  subject: CN=pi.hole
*  start date: Jan  1 00:00:00 2001 GMT
*  expire date: Dec 31 23:59:59 2030 GMT
*  issuer: CN=pi.hole
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.

system · December 23, 2024, 8:11pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.