Setting certificate from file instead the GUI #634
Comments
ameshkov
changed the title
|
Got it, thank you for the feature request! While we're considering it and waiting for people to vote on this feature request, there is a temporary solution, that would require some scripting on your side. You'll need to stop AGH, change the certificate in AdGuardHome.yml, and start AGH back. |
|
If anyone else has that need, I created a wrapper that implements automatic certificates using let's encrypt. |
|
@via-justa that's awesome! I guess we should consider providing let's encrypt integration natively. |
|
@ameshkov as of now, I couldn't find a let's encrypt go package that supports let's encrypt DNS-01 challenge so the implementation will be limited to HTTP challenge with them and it won't work if you're behind an FW, that's why I didn't use the builtin packages. |
|
Just had the same problem using docker. Not sure integration of LetsEncrypt will solve anything as certbot is widely available and easy to use (and has DNS plugins for many service providers like cloudflare, digitalocean and such). I think it would be awesome if you could just provide a path to a chain and key file. Keep the text inputs in the admin GUI, but instead of storing them in the JSON, just save the files into something like That solves alot of use cases:
In addition to this:
|
|
I agree the way to use SSL certificate file instead of .yaml settings file. |
|
As this product is for home users and not for power users like us, it should have a user friendly solution, using a file require the user to understand how certificates works and how to get them and export them in the right way (e.g. pem files) and with the right permissions.
Integrating Let's Encrypt will allow the regular user have the benefits of SSL without the need to understand how the mechanism works. Adding a default DDNS service like xip.io or duck dns will also remove the need to create the DNS name and will, in theory, provide the option to enable DoT with a tick box same as enabling the filters or DHCP.
In my opinion, using a file will be much less user friendly. But I agree that the key should not be visible in clear text via the web interface.
Best regards,
Nir Tal
…________________________________
From: alexsannikov <notifications@github.com>
Sent: Tuesday, March 26, 2019 2:04:43 PM
To: AdguardTeam/AdGuardHome
Cc: via-justa; Mention
Subject: Re: [AdguardTeam/AdGuardHome] Setting certificate from file instead the GUI (#634)
I agree the way to use SSL certificate file instead of .yaml settings file.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#634 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AYh12kkYwFFwITXSe_BI3jWbUkfP60_7ks5vahrrgaJpZM4bnOa8>.
|
|
@via-justa I'm not sure labeling it for home users or integrate LetsEncrypt will solve anything. Using it at home (raspberry/pihole whatever) has no requirement for SSL except outbound and there is no reason why a home user would go through the hassle to encrypt LAN DNS queries. LetsEncrypt would just introduce alot of use cases, dependencies and require alot of technical knowledge. You need to setup DDNS, you need to expose the proper ports (if you even can and the router gives you the options) and route them to the correct device. Otherwise the http challenge will not work. Installing or self signing a certificate file is the first tutorial you can find besides propper port forwarding when it comes to guides. Switching the GUI to inputs and storing the input into files would change nothing UI wise right now and give any other user the option to configure the service properly. |
|
@adrianrudnik You can do it without opening ports, you can use the DNS-01 challenge as you can see in my implementation (I'm running it via caddy client). I can think of a few reasons why a home user will want to use DoT and not all of them use Pi, running it on DigitalOcean is as easy if not even easier than running it on a Pi. I can tell you that the main reason I like to implement it is to make sure my ISP is not playing with my DNS results and I'm running it externally. As I see it, if you work with a file, there are too many changes that need to be implemented and too many things that the user can do wrong when providing the certificate (and as it's not via the GUI, he won't get the indication of what's wrong). In my opinion, it's not a good idea but it's not my decision, I'm a user like you 😄 |
|
I really like the ability to select an file, this because i'm having an Nginx server with reverse proxy set to the adguard home. My Nginx server (jail) is handling the certificates for all (sub)domains. So if i just can point from AdGuard Home to the location my Nginx server has put the files it would be great! |
|
vote +1 |
|
I too think that an option to use certificate file path would be simple enough for all DoH users (Let's Encrypt or otherwise). If 'home' users are smart enough to copy-paste contents of those files, they sure can enter a path to those files instead. |
|
For now, until this feature is developed, I'm using a simple Ruby script to replace the key and cert in the YAML files with the updated contents. After reading this thread, I realized maybe I should make it more universal and share, so here it is for anyone interested: https://github.com/vt0r/adguardhome_certinjector I've only tested it on Ruby 2.5.1, but I don't think I used any new methods that would prevent using a much older release. I also only used built-ins to make it work on most system Ruby installs. |
I'm running AGH on docker-compose with the official release. I'm using Caddy as a frontend proxy + let's encrypt client.
I would like to share the certificate I get from Caddy and use it for DoT instead of updating the certificate every time it gets rotated.
Having an option to point to a file in the file system to get the certificate will allow mounting the certificates from Caddy.
You can see my implementation here
The text was updated successfully, but these errors were encountered: