link to let's encrypt certificates doesn't work

[guizmoau]

Context

Hardware: VPS bought online
YunoHost version: last stable
I have access to my server : Through SSH | through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
Description of my issue

Describe the bug

I have a working installation of adguard home and I initially copy / paste the let’s encrypt certificates into the encryption setup of adguardhome.

Now the certificate expired and I am trying to make it permanent and elegant configuration such as a link file to certificate so it will be still valid after being updated by certbot.

so I located the certificates into /etc/yunohost/certs/my.domain.com/crt.pem and key.pem

I first try to declare such path into adguardhome but got an error message from adguardhome “permission denied”

Then I created two link files into /var/www/adguardhome and change their ownership (chown -h) in accordance of folder existing ownership.

But still adguardhome “permission denied”

Expected behavior

Adguardhome shall be running with root user or similar and it shall therfor be able to read those files.

[MohamedElashri]

You can work around that by copy and paste the certificate and the key.

[guizmoau]

@MohamedElashri yes and you can be in trouble every time the certificate is out of date

I have already done that, I more looking for a real solution now.

[mx4k]

I have the same issue. I don't really sure if the certificate belongs as plaintext into the app config.

[mx4k]

You can work around that by copy and paste the certificate and the key.

From where to where?

[MohamedElashri]

You can work around that by copy and paste the certificate and the key.

From where to where?

Copy the content of /etc/yunohost/certs/<domain>/crt.pem and /etc/yunohost/certs/<domain>/key.pem into the fields for the certificate and key inside encryption section in Adguard home settings.

Or copy the path to crt.pem and key.pem which are located at /etc/yunohost/certs/<domain>/crt.key and /etc/yunohost/certs/<domain>/key.pem respectively.

[guizmoau]

why can't we just copy the path so we don't have to copy and paste by hand at each renewal ?!

[MohamedElashri]

You can do that now

[tituspijean]

Potential solution for packagers: give $app user permission to read /etc/yunohost/certs/<domain>/.

[Ddataa]

solved in #89

[kay0u]

I don't understand why you want to link this certs.

It's only useful when we want to access the AdGuard Home admin interface on a specific port, but on Yunohost, you don't want that because you can already access it on a reverse proxy (via yourdomain.tld)

[MohamedElashri]

It is usually because people want to use AdGuard home DoH/DoT feature, so they need to enable encryption

[kay0u]

DOH works out of the box. You can use https://youradguarddomain.tld/dns-query or tls://youradguarddomain.tld (you don't need to check the box "Enable Encryption (HTTPS, DNS-over-HTTPS, and DNS-over-TLS)")

I tried with mine with https://github.com/curl/doh and with firefox dns conf

[MohamedElashri]

It doesn't let you generate configuration files, which is what you need for system-wide DNS in Mac and iOS/iPad.

[Ddataa]

yes when using adguardhome as upstream DOH DNS for others adguardhome(s) you need to correctly activate encryption for adguardhome.

I did run into troubles when the certificate runs out and adguardhome had a manually copied certificates.

[tibs245]

I think this answer can resolve your problem : #101 (comment)