starred/AdGuardHome
1
0
Fork 0
mirror of https://github.com/AdguardTeam/AdGuardHome.git synced 2026-03-04 00:01:12 -05:00
Code Issues 1.2k Projects Packages Wiki Activity

Expand symlinks when loading certificate and key files content #2569

New issue
Open
opened 2026-03-04 02:07:45 -05:00 by deekerman · 11 comments
deekerman commented 2026-03-04 02:07:45 -05:00
Owner
Copy link

Originally created by @Aesir on GitHub (Mar 16, 2021).

Originally assigned to: @ainar-g on GitHub.

  • I am running the latest version
  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed

Issue Details

  • Version of AdGuard Home server:
    • Version: v0.105.2
  • How did you install AdGuard Home:
    • Docker image: adguard/adguardhome:latest
  • How did you setup DNS configuration:
    • Docker on VPS
  • CPU architecture:
    • Digital Ocean basic Docker droplet - 1 GB Memory / 25 GB Disk / SFO3
  • Operating system and version:
    • Docker 19.03.12 on Ubuntu 20.04

Expected Behavior

My certs are pem files from LetsEncrypt generated by Swag. Under Settings -> Encryption Settings -> Certificates I should be able to point my certificate path to the fullchain.pem file and the private key file path to privkey.pem. If there are issues with the certificates themselves, the UI should just say so and not tell me that there's no such file or directory or the cert chain is invalid when the issue is with the key file.

Actual Behavior

As far as I can tell, the only way to get the files to work at all is to set both fields to point to priv-fullchain-bundle.pem. The UI will give various spurious missing file errors and invalid key errors until both fields are set to point to this combined cert/private key file.

Screenshots

This is what I would expect to put into these fields. These files work perfectly when copied and pasted into the text fields but for some reason don't work when I just point to the files. Notice that the UI is giving a spurious "No such file or directory" error. It gives this for files it does not like regardless of whether or not they actually exist.

image

Here I have the cert pointing to the file that will eventually work while the private key is still pointing to the `privkey.pem` file. Notice that the UI tells me my cert chain is invalid, even though it is not, and it's also telling me that the privkey file now doesn't exist.

image

Same with the other way around only now it's the `fullchain.pem` file that it claims doesn't exist.

image

And here we have it set up in the only way I can find to make it happy. It's only by accepting both files that it stops throwing spurious errors and for some reason it wants the full chain and key pair for the files whereas it's perfectly happy to take them separately when pasting the keys in as text.

image

Originally created by @Aesir on GitHub (Mar 16, 2021). Originally assigned to: @ainar-g on GitHub. - [X] I am running the latest version - [X] I checked the documentation and found no answer - [X] I checked to make sure that this issue has not already been filed ### Issue Details * **Version of AdGuard Home server:** * Version: v0.105.2 * **How did you install AdGuard Home:** * Docker image: adguard/adguardhome:latest * **How did you setup DNS configuration:** * Docker on VPS * **CPU architecture:** * Digital Ocean basic Docker droplet - 1 GB Memory / 25 GB Disk / SFO3 * **Operating system and version:** * Docker 19.03.12 on Ubuntu 20.04 ### Expected Behavior My certs are pem files from LetsEncrypt generated by [Swag](https://github.com/linuxserver/docker-swag). Under Settings -> Encryption Settings -> Certificates I should be able to point my certificate path to the `fullchain.pem` file and the private key file path to `privkey.pem`. If there are issues with the certificates themselves, the UI should just say so and not tell me that there's no such file or directory or the cert chain is invalid when the issue is with the key file. ### Actual Behavior As far as I can tell, the only way to get the files to work at all is to set both fields to point to `priv-fullchain-bundle.pem`. The UI will give various spurious missing file errors and invalid key errors until both fields are set to point to this combined cert/private key file. ### Screenshots <details> <summary>This is what I would expect to put into these fields. These files work perfectly when copied and pasted into the text fields but for some reason don't work when I just point to the files. Notice that the UI is giving a spurious "No such file or directory" error. It gives this for files it does not like regardless of whether or not they actually exist.</summary> ![image](https://user-images.githubusercontent.com/447759/111282137-e843ae80-85fa-11eb-9f57-4fe9c841a045.png) </details> <details> <summary>Here I have the cert pointing to the file that will eventually work while the private key is still pointing to the `privkey.pem` file. Notice that the UI tells me my cert chain is invalid, even though it is not, and it's also telling me that the privkey file now doesn't exist.</summary> ![image](https://user-images.githubusercontent.com/447759/111282654-7750c680-85fb-11eb-98ae-b20ccc266c4c.png) </details> <details> <summary>Same with the other way around only now it's the `fullchain.pem` file that it claims doesn't exist.</summary> ![image](https://user-images.githubusercontent.com/447759/111282989-d3b3e600-85fb-11eb-8177-eb159f7336a1.png) </details> <details> <summary>And here we have it set up in the only way I can find to make it happy. It's only by accepting both files that it stops throwing spurious errors and for some reason it wants the full chain and key pair for the files whereas it's perfectly happy to take them separately when pasting the keys in as text.</summary> ![image](https://user-images.githubusercontent.com/447759/111283390-4f159780-85fc-11eb-9a63-4ea30a76ee22.png) </details>
deekerman commented 2026-03-04 02:07:48 -05:00
Author
Owner
Copy link

@ameshkov commented on GitHub (Mar 16, 2021):

Well, if it says that the file does not exist, it either really does not exist by that path, or there's a permission problem.

One more possibility: could it be that you're using symlinks?

@ameshkov commented on GitHub (Mar 16, 2021): Well, if it says that the file does not exist, it either really does not exist by that path, or there's a permission problem. One more possibility: could it be that you're using symlinks?
deekerman commented 2026-03-04 02:07:51 -05:00
Author
Owner
Copy link

@Aesir commented on GitHub (Mar 16, 2021):

It's using symlinks within the Swag container, but I'm not sure which direction they point. I also expose the certs to docker with a volume mapping, which I believe use symlinks. It would be very weird that it can see one file in the same folder as the other two and has no problem seeing the files themselves under certain file combinations (see the screenshots).

It's much more likely that it can see the files and it's just throwing the error every time the file fails to pass all of the validation passes.

@Aesir commented on GitHub (Mar 16, 2021): It's using symlinks within the Swag container, but I'm not sure which direction they point. I also expose the certs to docker with a volume mapping, which I believe use symlinks. It would be very weird that it can see one file in the same folder as the other two and has no problem seeing the files themselves under certain file combinations (see the screenshots). It's much more likely that it can see the files and it's just throwing the error every time the file fails to pass all of the validation passes.
deekerman commented 2026-03-04 02:07:51 -05:00
Author
Owner
Copy link

@ameshkov commented on GitHub (Mar 16, 2021):

files themselves under certain file combinations (see the screenshots).

All three are the same - it tries to open the first file, can't find it and returns "no such file" error without even trying to open the second one.

It's much more likely that it can see the files and it's just throwing the error every time the file fails to pass all of the validation passes.

It would've shown a different error then.

@ameshkov commented on GitHub (Mar 16, 2021): > files themselves under certain file combinations (see the screenshots). All three are the same - it tries to open the first file, can't find it and returns "no such file" error without even trying to open the second one. > It's much more likely that it can see the files and it's just throwing the error every time the file fails to pass all of the validation passes. It would've shown a different error then.
deekerman commented 2026-03-04 02:07:51 -05:00
Author
Owner
Copy link

@Aesir commented on GitHub (Mar 16, 2021):

All three are the same - it tries to open the first file, can't find it and returns "no such file" error without even trying to open the second one.

The first and 3rd are fullchain, the 2nd is privkey.

It would've shown a different error then.

I didn't include screenshots of every combination I tried while trying to get a key file to work. When messing around with different keys files, it becomes very clear that it's giving the file not found error regardless no matter what if it doesn't like the key file. It isn't doing it because the file isn't there. There is a bug in the logic that displays the error, probably some sort of top-level handler that adds the message whenever there's an issue during file loading.

@Aesir commented on GitHub (Mar 16, 2021): > All three are the same - it tries to open the first file, can't find it and returns "no such file" error without even trying to open the second one. The first and 3rd are fullchain, the 2nd is privkey. > It would've shown a different error then. I didn't include screenshots of every combination I tried while trying to get a key file to work. When messing around with different keys files, it becomes very clear that it's giving the file not found error regardless no matter what if it doesn't like the key file. It isn't doing it because the file isn't there. There is a bug in the logic that displays the error, probably some sort of top-level handler that adds the message whenever there's an issue during file loading.
deekerman commented 2026-03-04 02:07:51 -05:00
Author
Owner
Copy link

@ameshkov commented on GitHub (Mar 17, 2021):

The problem is that I cannot reproduce it.

It shows a human-readable error to me. For instance, when I try to point the cert to the key file, it shows "You have specified an empty certificate" error, and when I specify key file instead of crt, I am getting "No valid keys were found" which is also a proper error.

Let's try taking a look at the verbose log.

  1. Configure AdGuard Home to write verbose-level log.
  2. Reproduce the issue.
  3. Post the log file here (remove private info from it)
@ameshkov commented on GitHub (Mar 17, 2021): The problem is that I cannot reproduce it. It shows a human-readable error to me. For instance, when I try to point the cert to the key file, it shows "You have specified an empty certificate" error, and when I specify key file instead of crt, I am getting "No valid keys were found" which is also a proper error. Let's try taking a look at the verbose log. 1. [Configure](https://github.com/AdguardTeam/AdGuardHome/wiki/FAQ#verboselog) AdGuard Home to write verbose-level log. 2. Reproduce the issue. 3. Post the log file here (remove private info from it)
deekerman commented 2026-03-04 02:07:51 -05:00
Author
Owner
Copy link

@Aesir commented on GitHub (Mar 17, 2021):

Not too helpful, I got one line for every letter typed.

2021/03/17 07:56:02 1#89 [debug] POST /control/tls/validate
2021/03/17 07:56:03 1#91 [debug] POST /control/tls/validate
2021/03/17 07:56:04 1#93 [debug] POST /control/tls/validate
2021/03/17 07:56:04 1#95 [debug] POST /control/tls/validate
2021/03/17 07:56:05 1#97 [debug] POST /control/tls/validate
2021/03/17 07:56:08 1#99 [debug] POST /control/tls/validate
2021/03/17 07:56:12 1#101 [debug] POST /control/tls/validate
2021/03/17 07:56:15 1#103 [debug] POST /control/tls/validate
2021/03/17 07:56:15 1#105 [debug] POST /control/tls/validate
2021/03/17 07:56:47 1#107 [debug] POST /control/tls/validate
2021/03/17 07:56:52 1#109 [debug] POST /control/tls/validate
2021/03/17 07:56:52 1#111 [debug] POST /control/tls/validate
2021/03/17 07:56:54 1#113 [debug] POST /control/tls/validate

It does seem to come down to a symlink issue though. Hopefully this will help get it figured out.

Screenshot 2021-03-17 012226

The check of the log file was just to make sure my command was working. As you can see, test returns false for both of the standard files, I'm guessing because they're symlinks, while priv-fullchain-bundle.pem is not and tests true. I figured I'd also through in my docker-compose file in case it was a permission issue or I could update my volume mappings to fix the issue. I could probably point to the ../../archive directory instead but I believe that the specific paths there are supposed to change over time so at that point I might as well paste the keys in.

@Aesir commented on GitHub (Mar 17, 2021): Not too helpful, I got one line for every letter typed. `2021/03/17 07:56:02 1#89 [debug] POST /control/tls/validate` `2021/03/17 07:56:03 1#91 [debug] POST /control/tls/validate` `2021/03/17 07:56:04 1#93 [debug] POST /control/tls/validate` `2021/03/17 07:56:04 1#95 [debug] POST /control/tls/validate` `2021/03/17 07:56:05 1#97 [debug] POST /control/tls/validate` `2021/03/17 07:56:08 1#99 [debug] POST /control/tls/validate` `2021/03/17 07:56:12 1#101 [debug] POST /control/tls/validate` `2021/03/17 07:56:15 1#103 [debug] POST /control/tls/validate` `2021/03/17 07:56:15 1#105 [debug] POST /control/tls/validate` `2021/03/17 07:56:47 1#107 [debug] POST /control/tls/validate` `2021/03/17 07:56:52 1#109 [debug] POST /control/tls/validate` `2021/03/17 07:56:52 1#111 [debug] POST /control/tls/validate` `2021/03/17 07:56:54 1#113 [debug] POST /control/tls/validate` It does seem to come down to a symlink issue though. Hopefully this will help get it figured out. ![Screenshot 2021-03-17 012226](https://user-images.githubusercontent.com/447759/111437749-ae3ce000-86c0-11eb-8d43-f0974cdd25b1.jpg) The check of the log file was just to make sure my command was working. As you can see, `test` returns false for both of the standard files, I'm guessing because they're symlinks, while `priv-fullchain-bundle.pem` is not and tests true. I figured I'd also through in my docker-compose file in case it was a permission issue or I could update my volume mappings to fix the issue. I could probably point to the `../../archive` directory instead but I believe that the specific paths there are supposed to change over time so at that point I might as well paste the keys in.
deekerman commented 2026-03-04 02:07:51 -05:00
Author
Owner
Copy link

@ameshkov commented on GitHub (Mar 17, 2021):

Yeah, symlink explains that.

@ameshkov commented on GitHub (Mar 17, 2021): Yeah, symlink explains that.
deekerman commented 2026-03-04 02:07:51 -05:00
Author
Owner
Copy link

@ainar-g commented on GitHub (Jun 3, 2021):

This will be done together with #2902 and #2554.

@ainar-g commented on GitHub (Jun 3, 2021): This will be done together with #2902 and #2554.
deekerman commented 2026-03-04 02:07:51 -05:00
Author
Owner
Copy link

@eagle470 commented on GitHub (Mar 26, 2024):

I'm currently running into this issue and it's driving me nuts. Any chance this is going to be resolved anytime soon?

@eagle470 commented on GitHub (Mar 26, 2024): I'm currently running into this issue and it's driving me nuts. Any chance this is going to be resolved anytime soon?
deekerman commented 2026-03-04 02:07:51 -05:00
Author
Owner
Copy link

@winnie-sg commented on GitHub (May 3, 2024):

I'm currently running into this issue and it's driving me nuts. Any chance this is going to be resolved anytime soon?

So am I. Have you managed to resolve it?

@winnie-sg commented on GitHub (May 3, 2024): > I'm currently running into this issue and it's driving me nuts. Any chance this is going to be resolved anytime soon? So am I. Have you managed to resolve it?
deekerman commented 2026-03-04 02:07:51 -05:00
Author
Owner
Copy link

@ArmedSnail commented on GitHub (Mar 23, 2025):

just ran into this, is there any timeframe/workaround yet?

I could copy the files via cronjob but it feels like an unnecessary complicated solution.

@ArmedSnail commented on GitHub (Mar 23, 2025): just ran into this, is there any timeframe/workaround yet? I could copy the files via cronjob but it feels like an unnecessary complicated solution.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
AGDNS-3523-upd-dnsproxy-middlewares
ADG-11407-add-docker-release
AGDNS-3535-upd-urlfilter
AGDNS-3684-fix-tls-status
beta-v0.107
release-v0.107.72
ADG-10306
beta-v0.108
ADG-10291
upd-url-filter
release-v0.107.71
release-v0.107.70
ADG-10301
ADG-8560-react-update
ADG-8560-graph-fix
release-v0.107.69
release-v0.107.68
release-v0.107.67
release-v0.107.66
ADG-10295
release-v0.107.65
release-v0.107.64
release-v0.107.63
release-v0.107.62
release-v0.107.61
release-v0.107.60
release-v0.107.59
release-v0.107.58
ADG-9783
ADG-1-utils-bundle-update
ADG-9415
release-v0.107.57
ADG-9565
release-v0.107.56
release-v0.107.55
release-v0.107.54
release-v0.107.53
infra-fix
upd-locales
release-v0.107.52
release-v0.107.51
AGDNS-2184-adguard-home
AG-32410-upd-dnsproxy
release-v0.107.50
release-v0.107.49
release-v0.107.48
release-v0.107.47
release-v0.107.46
release-v0.107.45
release-v0.107.44
release-v0.107.43
release-v0.107.42
6263-custom-ups-cache
release-v0.107.41
6399-fix-ups-check
release-v0.107.40
release-v0.107.39
release-v0.107.38
release-v0.107.37
6099-check-port-install
release-v0.107.36
release-v0.107.35
6006-refactor-client-lookup
release-v0.107.34
AG-23822
release-v0.107.33
3389-querylog-export
release-v0.107.32
fix-templates
release-v0.107.31
release-v0.107.30
5799-allowed-clients
5347-wildcard-interference
release-v0.107.29
AG-21485
release-v0.107.28
release-v0.107.27
release-v0.107.26
release-v0.107.25
release-v0.107.24
4728-cap-check
release-v0.107.23
release-v0.107.22
2499-rewrites-3
release-v0.107.21
release-v0.107.20
release-v0.107.19
4927-refactor-tls
release-v0.107.18
release-v0.107.17
release-v0.107.16
release-v0.107.15
websvc-confin-manager
release-v0.107.14
2926-lla-ipv6
4926-scroll
release-v0.107.13
release-v0.107.12
release-v0.107.11
release-v0.107.10
release-v0.107.9
WIP-upd-urls
release-v0.107.8
release-v0.107.7
release-v0.107.6
release-v0.107.5
release-v0.107.4
release-v0.107.3
release-v0.107.2
release-v0.107.1
release-v0.107.0
fix-stats-layout
beta-v0.106
release-v0.106.3
release-v0.106.2
release-v0.106.1
fix-client2-generator
dsheets-ipset-subs
fix-context
2044-gc
1691-clear-leases-v2
v0.107.72
v0.108.0-b.82
v0.108.0-b.81
v0.107.71
v0.108.0-b.80
v0.107.70
v0.108.0-b.79
v0.107.69
v0.108.0-b.78
v0.107.68
v0.108.0-b.77
v0.107.67
v0.108.0-b.76
v0.107.66
v0.108.0-b.75
v0.107.65
v0.108.0-b.74
v0.108.0-b.73
v0.107.64
v0.108.0-b.72
v0.107.63
v0.108.0-b.71
v0.107.62
v0.108.0-b.70
v0.108.0-b.69
v0.107.61
v0.108.0-b.68
v0.108.0-b.67
v0.107.60
v0.108.0-b.66
v0.107.59
v0.108.0-b.65
v0.107.58
v0.108.0-b.64
v0.107.57
v0.108.0-b.63
v0.107.56
v0.108.0-b.62
v0.107.55
v0.108.0-b.61
v0.108.0-b.60
v0.107.54
v0.108.0-b.59
v0.107.53
v0.108.0-b.58
v0.107.52
v0.108.0-b.57
v0.107.51
v0.108.0-b.56
v0.107.50
v0.107.49
v0.108.0-b.55
v0.107.48
v0.107.47
v0.107.46
v0.108.0-b.54
v0.107.45
v0.108.0-b.53
v0.107.44
v0.108.0-b.52
v0.107.43
v0.108.0-b.51
v0.107.42
v0.108.0-b.50
v0.108.0-b.49
v0.107.41
v0.107.40
v0.108.0-b.48
v0.108.0-b.47
v0.107.39
v0.108.0-b.46
v0.107.38
v0.108.0-b.45
v0.107.37
v0.108.0-b.44
v0.108.0-b.43
v0.107.36
v0.107.35
v0.108.0-b.42
v0.108.0-b.41
v0.107.34
v0.108.0-b.40
v0.108.0-b.39
v0.107.33
v0.108.0-b.38
v0.108.0-b.37
v0.107.32
v0.108.0-b.36
v0.107.31
v0.108.0-b.35
v0.107.30
v0.108.0-b.34
v0.107.29
v0.108.0-b.33
v0.107.28
v0.108.0-b.32
v0.107.27
v0.108.0-b.31
v0.108.0-b.30
v0.107.26
v0.108.0-b.29
v0.108.0-b.28
v0.107.25
v0.108.0-b.27
v0.107.24
v0.108.0-b.26
v0.107.23
v0.108.0-b.25
v0.107.22
v0.108.0-b.24
v0.107.21
v0.108.0-b.23
v0.107.20
v0.108.0-b.22
v0.107.19
v0.108.0-b.21
v0.107.18
v0.108.0-b.20
v0.107.17
v0.108.0-b.19
v0.108.0-b.18
v0.107.16
v0.108.0-b.17
v0.107.15
v0.108.0-b.16
v0.107.14
v0.108.0-b.15
v0.107.13
v0.108.0-b.14
v0.107.12
v0.108.0-b.13
v0.107.11
v0.108.0-b.12
v0.107.10
v0.108.0-b.11
v0.107.9
v0.108.0-b.10
v0.107.8
v0.107.7
v0.108.0-b.9
v0.108.0-b.8
v0.108.0-b.7
v0.108.0-b.6
v0.107.6
v0.108.0-b.5
v0.108.0-b.4
v0.107.5
v0.107.4
v0.108.0-b.3
v0.107.3
v0.108.0-b.2
v0.108.0-b.1
v0.107.2
v0.107.1
v0.107.0
v0.107.0-b.17
v0.107.0-b.16
v0.107.0-b.15
v0.107.0-b.14
v0.107.0-b.13
v0.107.0-b.12
v0.107.0-b.11
v0.107.0-b.10
v0.107.0-b.9
v0.107.0-b.8
v0.107.0-b.7
v0.107.0-b.6
v0.107.0-b.5
v0.107.0-b.4
v0.107.0-b.3
v0.107.0-b.2
v0.107.0-b.1
v0.106.3
v0.106.3-b.1
v0.106.2
v0.106.2-b.1
v0.106.1
v0.106.1-b.1
v0.106.0
v0.106.0-b.5
v0.106.0-b.4
v0.106.0-b.3
v0.106.0-b.2
v0.106.0-b.1
v0.105.2
v0.105.2-beta.1
v0.105.1
v0.105.1-beta.1
v0.105.0
v0.105.0-beta.5
v0.105.0-beta.4
v0.105.0-beta.3
v0.105.0-beta.2
v0.105.0-beta.1
v0.104.3
v0.104.2
v0.104.1
v0.104.0
v0.104.0-beta3
v0.104.0-beta2
v0.104.0-beta1
v0.103.3
v0.103.2
v0.103.1
v0.103.0
v0.103.0-beta3
v0.103.0-beta2
v0.103.0-beta1
v0.102.0
v0.101.0
v0.100.9
v0.100.8
v0.100.7
v0.100.6
v0.100.5
v0.100.4
v0.100.3
v0.100.2
v0.100.1
v0.100.0
v0.99.3
v0.99.2
v0.99.1
v0.99.0
v0.98.1
v0.98.0
v0.97.1
v0.97.0
v0.96-hotfix
v0.96
v0.95-hotfix
v0.95
v0.94
v0.93
v0.92-hotfix2
v0.92-hotfix1
v0.92
v0.91
v0.9-hotfix1
v0.9
v0.1
Labels
Clear labels   
P1: Critical

   
P2: High

   
P3: Medium

   
P4: Low

   
UI

   
bug

   
cannot reproduce

   
compatibility

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
external libs

   
feature request

   
good first issue

   
help wanted

   
infrastructure

   
invalid

   
localization

   
needs investigation

   
performance

   
potential-duplicate

   
question

   
recurrent

   
research

   
snap

   
waiting for data

   
wontfix
No labels
P1: Critical
P2: High
P3: Medium
P4: Low
UI
bug
cannot reproduce
compatibility
dependencies
docker
documentation
duplicate
enhancement
enhancement
external libs
feature request
good first issue
help wanted
infrastructure
invalid
localization
needs investigation
performance
potential-duplicate
question
recurrent
research
snap
waiting for data
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/AdGuardHome#2569
No description provided.