SSL Error when Pi-hole is used as a DNS server

MikeFightsBears · September 15, 2021, 6:14pm

Hello,

I am experiencing https://mangadex.org not being able to load on my network (SSL_ERROR_RX_RECORD_TOO_LONG in Firefox) as long as I have my router pointed at my Pi-hole as a DNS server. When I remove my Pi-hole's IP from my router's DNS settings and allow it to resolve DNS normally the site starts to work again. The errors I am seeing seem to indicate that the SSL cert cannot be loaded or is not passing thru the Pi-hole cleanly somehow.

I saw this question which looks related but as I do not use an OpenDNS filtering service I do not believe this to be the same, though I do use OpenDNS for my upstream IPv4 servers...

In the aforementioned question the OP was asked for the output of the following commands, so I will include them here:

~$ uname -a
Linux rpi 4.19.75-v7+ #1270 SMP Tue Sep 24 18:45:11 BST 2019 armv7l GNU/Linux
~$ pihole -v
  Pi-hole version is v5.4 (Latest: v5.4)
  AdminLTE version is v5.6 (Latest: v5.6)
  FTL version is v5.9 (Latest: v5.9)
~$ date
Wed 15 Sep 2021 01:05:06 PM CDT
~$ host mangadex.org localhost
Using domain server:
Name: localhost
Address: ::1#53
Aliases:

mangadex.org has address 185.178.208.185
~$ echo | openssl s_client -connect mangadex.org:443 2>/dev/null | openssl x509 -text
unable to load certificate
1996415040:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
~$ nslookup mangadex.org
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   mangadex.org
Address: 185.178.208.185

~$ pihole -q mangadex.org
  [i] No results found for mangadex.org within the block lists
~$

Expected Behaviour:

DNS will resolve, site will load

Actual Behaviour:

Site errors

Debug Token:

https://tricorder.pi-hole.net/Gd6rdeS8/

DanSchaper · September 15, 2021, 7:09pm

I'm not seeing any errors with that domain on a stock Pi-hole.

$ dig +short mangadex.org @pi.hole
185.178.208.185

$ openssl s_client -connect mangadex.org:443 2>/dev/null | openssl x509 -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:28:25:01:83:0c:cb:90:c5:8b:15:fc:02:d5:21:03:26:b7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Sep  1 20:47:50 2021 GMT
            Not After : Nov 30 20:47:49 2021 GMT
        Subject: CN = *.mangadex.org

Bucking_Horn · September 15, 2021, 7:15pm

Same here with unbound as upstream.

Did you try switching your upstream DNS server?

Rerunning the openssl command should tell you straight away if it works with a different upstream.

MikeFightsBears · September 15, 2021, 7:30pm

I have changed my upstream server to Cloudflare and still see the issue. I set this rpi up with pi-hole two-ish years ago and haven't touched it outside of keeping Raspbian and Pi-hole updated so I'm not sure what could be different than a stock image

Bucking_Horn · September 15, 2021, 7:40pm

Is the output for the openssl command with Cloudflare also the same?

MikeFightsBears · September 15, 2021, 7:41pm

Yes

~$ echo | openssl s_client -connect mangadex.org:443 2>/dev/null | openssl x509 -text
unable to load certificate
1995935808:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

system · October 6, 2021, 7:42pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.