AdGuard Home Certificate chain is invalid

jkshowers · May 15, 2023, 6:19pm

I am using Ubuntu 22 VPS hosted by Interserver.net

I ran the certbot to obtain a encryption certificate (pem) and everything went find. There were no errors doing it.

When I go to enter the information into AdGuard Home the private key entry has no location.

The certificate however shows the following:

In order to use encryption, you need to provide a valid SSL certificates chain for your domain. You can get a free certificate on letsencrypt.org or you can buy it from one of the trusted Certificate Authorities.

Status:

Certificate chain is invalid
Subject: CN=arandomdomain.net
Issuer: CN=R3,O=Let's Encrypt,C=US
Expires: 2023-08-12 17:36:58
Hostnames: arandomdomain.net

Any ideas how to get rid of that error?

Bruce5051 · May 15, 2023, 6:21pm

Hello @jkshowers, welcome to the Let's Encrypt community.

Have a look at Long (default) and Short (alternate) Certificate Chains Explained

Also:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

jkshowers · May 15, 2023, 7:01pm

Domain: arandomdomain.net

These are the commands I used:

sudo snap install --classic certbot

sudo ln -s /snap/bin/certbot /usr/bin/certbot

sudo certbot certonly --standalone

Output was no errors and a Cetificate (SSL) and private key were created in the following directory

/etc/letsencrypt/live/arandomdomain.net/fullchain.pem

Error given in adguard:

Status:

Certificate chain is invalid
Subject: CN=arandomdomain.net
Issuer: CN=R3,O=Let's Encrypt,C=US
Expires: 2023-08-12 17:36:58
Hostnames: arandomdomain.net

/etc/letsencrypt/live/arandomdomain.net/privkey.pem

Good to go message:

Status:

This is a valid ECDSA private key

I am not sure the webserver I am using to be honest. But the server giving me the error is AdGuard Home.

Ubuntu 22 is the OS

Interserver.net is the hosting provider

I do have root access in SSH

No control panel is installed outside of AdGuard Home

Certbot should be the latest version as it was installed yesterday

Bruce5051 · May 15, 2023, 7:09pm

I find no IP Addresses for the domain name.

>nmap -4 -Pn -p80,443 arandomdomain.net
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-15 19:08 UTC
Failed to resolve "arandomdomain.net".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.44 seconds

>nmap -6 -Pn -p80,443 arandomdomain.net
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-15 19:08 UTC
Failed to resolve "arandomdomain.net".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.29 seconds

And using the online tool Let's Debug yields these results https://letsdebug.net/arandomdomain.net/1481727

and https://letsdebug.net/arandomdomain.net/1481728

rg305 · May 15, 2023, 7:24pm

Yes.
#1 Use the "long chain"
#2 Use another free CA
#3 Verify the correct cert files in use:
Which files did you provide to Adguard?
#4 Upgrade Adguard to latest version
#5 Windows Updates

Bruce5051 · May 15, 2023, 7:46pm

The domain name servers are not reporting information about the domain

$ nslookup -q=ns arandomdomain.net
Server:         127.0.0.53
Address:        127.0.0.53#53

** server can't find arandomdomain.net: SERVFAIL

$ nslookup -q=ns arandomdomain.net DNS2031A.TROUBLE-FREE.NET.
Server:         DNS2031A.TROUBLE-FREE.NET.
Address:        64.20.52.123#53

** server can't find arandomdomain.net: REFUSED

rg305 · May 15, 2023, 7:52pm

Sounds... a bit made up.

Osiris · May 15, 2023, 7:59pm

Could you perhaps explain a little bit more why you're trying to get a certificate installed in your "AdGuard Home"?

MikeMcQ · May 15, 2023, 8:02pm

Are you following instructions such as these?

Did you paste the cert.pem file or the fullchain.pem file (should be the latter)

And, what do you mean there was no spot for the private key. Does your screen not look like here in Configure AdGuard Home

jkshowers · May 15, 2023, 8:21pm

Thank you all so much for reaching out and the help. The DNS for the domain hand;t quite set up and needed a tweak. I figured that out when one of you mentioned and showed the domain errors. I reformated the server. Reran the certbot and then installed AdGuard Home and did it again and all went through.'

Thank you Thank you Thank

J K

system · June 14, 2023, 8:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.