starred/AdGuardHome
1
0
Fork 0
mirror of https://github.com/AdguardTeam/AdGuardHome.git synced 2026-03-04 00:01:12 -05:00
Code Issues 1.2k Projects Packages Wiki Activity

Reread TLS certificates in the backround #3270

New issue
Closed
opened 2026-03-04 03:19:06 -05:00 by deekerman · 16 comments
deekerman commented 2026-03-04 03:19:06 -05:00
Owner
Copy link

Originally created by @laurentftech on GitHub (Dec 19, 2021).

Originally assigned to: @EugeneOne1 on GitHub.

Prerequisites

Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

  • I am running the latest version
  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed

Issue Details

I am using Caddyserver to renew automatically my TLS certificates. It seems they are renewed every 12 hours which very small overlapping in validity (I don't know if it is possible to change that). After 12 hours when I try to login the AGH front end, Safari warns me that the certificate has expired and that the connection is not safe. If I open the site anyway, the first page tells me that certificate has expired (see attached).
The renewed certificate is only taken into account when I go to the encryption setting page (where I have the path to the certificate and key).

  • Version of AdGuard Home server:
    • v0.106.3
  • How did you install AdGuard Home:
    • Docker
  • How did you setup DNS configuration:
    • IoT
  • If it's a router or IoT, please write device model:
    • NAS

Expected Behavior

Renewed TLS certificate to be taken into account in the background.

Actual Behavior

Renewed TLS certificate seems to be only taken into account when opening the encryption settings page.

Screenshots

Screenshot:

image<!— drag and drop, upload or paste your screenshot to this area—>

Additional Information

Originally created by @laurentftech on GitHub (Dec 19, 2021). Originally assigned to: @EugeneOne1 on GitHub. ### Prerequisites Please answer the following questions for yourself before submitting an issue. **YOU MAY DELETE THE PREREQUISITES SECTION.** - [X] I am running the latest version - [X] I checked the documentation and found no answer - [X] I checked to make sure that this issue has not already been filed ### Issue Details I am using Caddyserver to renew automatically my TLS certificates. It seems they are renewed every 12 hours which very small overlapping in validity (I don't know if it is possible to change that). After 12 hours when I try to login the AGH front end, Safari warns me that the certificate has expired and that the connection is not safe. If I open the site anyway, the first page tells me that certificate has expired (see attached). The renewed certificate is only taken into account when I go to the encryption setting page (where I have the path to the certificate and key). * **Version of AdGuard Home server:** * v0.106.3 * **How did you install AdGuard Home:** * Docker * **How did you setup DNS configuration:** * IoT * **If it's a router or IoT, please write device model:** * NAS ### Expected Behavior Renewed TLS certificate to be taken into account in the background. ### Actual Behavior Renewed TLS certificate seems to be only taken into account when opening the encryption settings page. ### Screenshots <!-- If applicable, add screenshots to help explain your problem. --> <details><summary>Screenshot:</summary> ![image](https://user-images.githubusercontent.com/44120190/146668658-d16e8ca6-8fec-4562-a5f5-35ae0b10974f.png)<!— drag and drop, upload or paste your screenshot to this area—> </details> ### Additional Information
deekerman 2026-03-04 03:19:06 -05:00
deekerman commented 2026-03-04 03:19:25 -05:00
Author
Owner
Copy link

@ainar-g commented on GitHub (Dec 20, 2021):

The TLS certs are currently only updated when you either resave the encryption settings from the UI, or when you send SIGHUP to AGH.

@ameshkov, do we want some kind of background schedule to reload TLS certs in the future design / refactoring?

@ainar-g commented on GitHub (Dec 20, 2021): The TLS certs are currently only updated when you either resave the encryption settings from the UI, or when you send `SIGHUP` to AGH. @ameshkov, do we want some kind of background schedule to reload TLS certs in the future design / refactoring?
deekerman commented 2026-03-04 03:19:25 -05:00
Author
Owner
Copy link

@ameshkov commented on GitHub (Dec 27, 2021):

@ainar-g yeah, it makes sense to me.

@ameshkov commented on GitHub (Dec 27, 2021): @ainar-g yeah, it makes sense to me.
deekerman commented 2026-03-04 03:19:25 -05:00
Author
Owner
Copy link

@nuka-cola commented on GitHub (Apr 10, 2023):

I know that this is a slightly off-topic question, but if I am using Adguard-Home via Snap, where is the ideal place to store the let's encrypt certificates so that the snap container has access?

@nuka-cola commented on GitHub (Apr 10, 2023): I know that this is a slightly off-topic question, but if I am using Adguard-Home via Snap, where is the ideal place to store the let's encrypt certificates so that the snap container has access?
deekerman commented 2026-03-04 03:19:25 -05:00
Author
Owner
Copy link

@ameshkov commented on GitHub (Apr 16, 2023):

@nuka-cola

Somewhere inside this directory:
/var/snap/adguard-home/current

For AGH running in a snap this would be the cwd directory.
I.e. you can specify the path to the certificate as ./cert.crt

@ameshkov commented on GitHub (Apr 16, 2023): @nuka-cola Somewhere inside this directory: `/var/snap/adguard-home/current` For AGH running in a snap this would be the cwd directory. I.e. you can specify the path to the certificate as `./cert.crt`
deekerman commented 2026-03-04 03:19:25 -05:00
Author
Owner
Copy link

@xlionjuan commented on GitHub (May 13, 2025):

This is become more important when Let's Encrypt's 6 day certificate become available.

https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/

@xlionjuan commented on GitHub (May 13, 2025): This is become more important when Let's Encrypt's 6 day certificate become available. https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/
deekerman commented 2026-03-04 03:19:25 -05:00
Author
Owner
Copy link

@xlionjuan commented on GitHub (Jul 6, 2025):

Let's Encrypt will ship IP certificates and 6 days of certificate latter this year.

https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate/

@xlionjuan commented on GitHub (Jul 6, 2025): Let's Encrypt will ship IP certificates and 6 days of certificate latter this year. https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate/
deekerman commented 2026-03-04 03:19:25 -05:00
Author
Owner
Copy link

@xlionjuan commented on GitHub (Dec 3, 2025):

Let's Encrypt will ship IP certificates and 6 days of certificate soon, this is mandatory.

@xlionjuan commented on GitHub (Dec 3, 2025): Let's Encrypt will ship IP certificates and 6 days of certificate **soon**, this is mandatory.
deekerman commented 2026-03-04 03:19:25 -05:00
Author
Owner
Copy link

@cigarzh commented on GitHub (Jan 14, 2026):

I’m having the same problem.

@cigarzh commented on GitHub (Jan 14, 2026): I’m having the same problem.
deekerman commented 2026-03-04 03:19:25 -05:00
Author
Owner
Copy link

@EugeneOne1 commented on GitHub (Feb 9, 2026):

@laurentftech, and anyone else who's interested: We've finally implemented background TLS certificate and key refreshing. This feature is currently available in the latest beta release (v0.108.0-b.82). Could you please try it out and provide some feedback?

@EugeneOne1 commented on GitHub (Feb 9, 2026): @laurentftech, and anyone else who's interested: We've finally implemented background TLS certificate and key refreshing. This feature is currently available in the latest beta release (`v0.108.0-b.82`). Could you please try it out and provide some feedback?
deekerman commented 2026-03-04 03:19:25 -05:00
Author
Owner
Copy link

@xlionjuan commented on GitHub (Feb 9, 2026):

@laurentftech, and anyone else who's interested: We've finally implemented background TLS certificate and key refreshing. This feature is currently available in the latest beta release (v0.108.0-b.82). Could you please try it out and provide some feedback?

will volumes mount as :ro affect filesystem watching? Or how the reload triggered?

@xlionjuan commented on GitHub (Feb 9, 2026): > [@laurentftech](https://github.com/laurentftech), and anyone else who's interested: We've finally implemented background TLS certificate and key refreshing. This feature is currently available in the latest beta release (`v0.108.0-b.82`). Could you please try it out and provide some feedback? will volumes mount as `:ro` affect filesystem watching? Or how the reload triggered?
deekerman commented 2026-03-04 03:19:25 -05:00
Author
Owner
Copy link

@EugeneOne1 commented on GitHub (Feb 10, 2026):

@xlionjuan, Docker installations will only detect changes to the file system if you mount the entire directory. However, the :ro modifier is fine.

@EugeneOne1 commented on GitHub (Feb 10, 2026): @xlionjuan, Docker installations will only detect changes to the file system if you mount the entire directory. However, the `:ro` modifier is fine.
deekerman commented 2026-03-04 03:19:25 -05:00
Author
Owner
Copy link

@xlionjuan commented on GitHub (Feb 10, 2026):

I'm mount as directory, not single file, but it seems not detected the file changes.

@xlionjuan commented on GitHub (Feb 10, 2026): I'm mount as directory, not single file, but it seems not detected the file changes.
deekerman commented 2026-03-04 03:19:25 -05:00
Author
Owner
Copy link

@xlionjuan commented on GitHub (Feb 10, 2026):

I'm mount as directory, not single file, but it seems not detected the file changes.

@xlionjuan commented on GitHub (Feb 10, 2026): I'm mount as directory, not single file, but it seems not detected the file changes.
deekerman commented 2026-03-04 03:19:25 -05:00
Author
Owner
Copy link

@xlionjuan commented on GitHub (Feb 10, 2026):

I'm creating container with read_only: true will the detect mechanism need to have the ability to write somewhere?

@xlionjuan commented on GitHub (Feb 10, 2026): I'm creating container with `read_only: true` will the detect mechanism need to have the ability to write somewhere?
deekerman commented 2026-03-04 03:19:25 -05:00
Author
Owner
Copy link

@EugeneOne1 commented on GitHub (Feb 10, 2026):

@xlionjuan, as far as I know, the detection mechanism shouldn't write anything. Unfortunately, we'll need more details about your setup. Could you please file a separate issue with additional information about the environment in which you're running AdGuard Home?

@EugeneOne1 commented on GitHub (Feb 10, 2026): @xlionjuan, as far as I know, the detection mechanism shouldn't write anything. Unfortunately, we'll need more details about your setup. Could you please file a separate issue with additional information about the environment in which you're running AdGuard Home?
deekerman commented 2026-03-04 03:19:25 -05:00
Author
Owner
Copy link

@EugeneOne1 commented on GitHub (Feb 19, 2026):

This feature is available in version v0.107.72. Please file separate issues for any problems. We'll close this issue for now.

@EugeneOne1 commented on GitHub (Feb 19, 2026): This feature is available in version `v0.107.72`. Please file separate issues for any problems. We'll close this issue for now.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
AGDNS-3523-upd-dnsproxy-middlewares
ADG-11407-add-docker-release
AGDNS-3535-upd-urlfilter
AGDNS-3684-fix-tls-status
beta-v0.107
release-v0.107.72
ADG-10306
beta-v0.108
ADG-10291
upd-url-filter
release-v0.107.71
release-v0.107.70
ADG-10301
ADG-8560-react-update
ADG-8560-graph-fix
release-v0.107.69
release-v0.107.68
release-v0.107.67
release-v0.107.66
ADG-10295
release-v0.107.65
release-v0.107.64
release-v0.107.63
release-v0.107.62
release-v0.107.61
release-v0.107.60
release-v0.107.59
release-v0.107.58
ADG-9783
ADG-1-utils-bundle-update
ADG-9415
release-v0.107.57
ADG-9565
release-v0.107.56
release-v0.107.55
release-v0.107.54
release-v0.107.53
infra-fix
upd-locales
release-v0.107.52
release-v0.107.51
AGDNS-2184-adguard-home
AG-32410-upd-dnsproxy
release-v0.107.50
release-v0.107.49
release-v0.107.48
release-v0.107.47
release-v0.107.46
release-v0.107.45
release-v0.107.44
release-v0.107.43
release-v0.107.42
6263-custom-ups-cache
release-v0.107.41
6399-fix-ups-check
release-v0.107.40
release-v0.107.39
release-v0.107.38
release-v0.107.37
6099-check-port-install
release-v0.107.36
release-v0.107.35
6006-refactor-client-lookup
release-v0.107.34
AG-23822
release-v0.107.33
3389-querylog-export
release-v0.107.32
fix-templates
release-v0.107.31
release-v0.107.30
5799-allowed-clients
5347-wildcard-interference
release-v0.107.29
AG-21485
release-v0.107.28
release-v0.107.27
release-v0.107.26
release-v0.107.25
release-v0.107.24
4728-cap-check
release-v0.107.23
release-v0.107.22
2499-rewrites-3
release-v0.107.21
release-v0.107.20
release-v0.107.19
4927-refactor-tls
release-v0.107.18
release-v0.107.17
release-v0.107.16
release-v0.107.15
websvc-confin-manager
release-v0.107.14
2926-lla-ipv6
4926-scroll
release-v0.107.13
release-v0.107.12
release-v0.107.11
release-v0.107.10
release-v0.107.9
WIP-upd-urls
release-v0.107.8
release-v0.107.7
release-v0.107.6
release-v0.107.5
release-v0.107.4
release-v0.107.3
release-v0.107.2
release-v0.107.1
release-v0.107.0
fix-stats-layout
beta-v0.106
release-v0.106.3
release-v0.106.2
release-v0.106.1
fix-client2-generator
dsheets-ipset-subs
fix-context
2044-gc
1691-clear-leases-v2
v0.107.72
v0.108.0-b.82
v0.108.0-b.81
v0.107.71
v0.108.0-b.80
v0.107.70
v0.108.0-b.79
v0.107.69
v0.108.0-b.78
v0.107.68
v0.108.0-b.77
v0.107.67
v0.108.0-b.76
v0.107.66
v0.108.0-b.75
v0.107.65
v0.108.0-b.74
v0.108.0-b.73
v0.107.64
v0.108.0-b.72
v0.107.63
v0.108.0-b.71
v0.107.62
v0.108.0-b.70
v0.108.0-b.69
v0.107.61
v0.108.0-b.68
v0.108.0-b.67
v0.107.60
v0.108.0-b.66
v0.107.59
v0.108.0-b.65
v0.107.58
v0.108.0-b.64
v0.107.57
v0.108.0-b.63
v0.107.56
v0.108.0-b.62
v0.107.55
v0.108.0-b.61
v0.108.0-b.60
v0.107.54
v0.108.0-b.59
v0.107.53
v0.108.0-b.58
v0.107.52
v0.108.0-b.57
v0.107.51
v0.108.0-b.56
v0.107.50
v0.107.49
v0.108.0-b.55
v0.107.48
v0.107.47
v0.107.46
v0.108.0-b.54
v0.107.45
v0.108.0-b.53
v0.107.44
v0.108.0-b.52
v0.107.43
v0.108.0-b.51
v0.107.42
v0.108.0-b.50
v0.108.0-b.49
v0.107.41
v0.107.40
v0.108.0-b.48
v0.108.0-b.47
v0.107.39
v0.108.0-b.46
v0.107.38
v0.108.0-b.45
v0.107.37
v0.108.0-b.44
v0.108.0-b.43
v0.107.36
v0.107.35
v0.108.0-b.42
v0.108.0-b.41
v0.107.34
v0.108.0-b.40
v0.108.0-b.39
v0.107.33
v0.108.0-b.38
v0.108.0-b.37
v0.107.32
v0.108.0-b.36
v0.107.31
v0.108.0-b.35
v0.107.30
v0.108.0-b.34
v0.107.29
v0.108.0-b.33
v0.107.28
v0.108.0-b.32
v0.107.27
v0.108.0-b.31
v0.108.0-b.30
v0.107.26
v0.108.0-b.29
v0.108.0-b.28
v0.107.25
v0.108.0-b.27
v0.107.24
v0.108.0-b.26
v0.107.23
v0.108.0-b.25
v0.107.22
v0.108.0-b.24
v0.107.21
v0.108.0-b.23
v0.107.20
v0.108.0-b.22
v0.107.19
v0.108.0-b.21
v0.107.18
v0.108.0-b.20
v0.107.17
v0.108.0-b.19
v0.108.0-b.18
v0.107.16
v0.108.0-b.17
v0.107.15
v0.108.0-b.16
v0.107.14
v0.108.0-b.15
v0.107.13
v0.108.0-b.14
v0.107.12
v0.108.0-b.13
v0.107.11
v0.108.0-b.12
v0.107.10
v0.108.0-b.11
v0.107.9
v0.108.0-b.10
v0.107.8
v0.107.7
v0.108.0-b.9
v0.108.0-b.8
v0.108.0-b.7
v0.108.0-b.6
v0.107.6
v0.108.0-b.5
v0.108.0-b.4
v0.107.5
v0.107.4
v0.108.0-b.3
v0.107.3
v0.108.0-b.2
v0.108.0-b.1
v0.107.2
v0.107.1
v0.107.0
v0.107.0-b.17
v0.107.0-b.16
v0.107.0-b.15
v0.107.0-b.14
v0.107.0-b.13
v0.107.0-b.12
v0.107.0-b.11
v0.107.0-b.10
v0.107.0-b.9
v0.107.0-b.8
v0.107.0-b.7
v0.107.0-b.6
v0.107.0-b.5
v0.107.0-b.4
v0.107.0-b.3
v0.107.0-b.2
v0.107.0-b.1
v0.106.3
v0.106.3-b.1
v0.106.2
v0.106.2-b.1
v0.106.1
v0.106.1-b.1
v0.106.0
v0.106.0-b.5
v0.106.0-b.4
v0.106.0-b.3
v0.106.0-b.2
v0.106.0-b.1
v0.105.2
v0.105.2-beta.1
v0.105.1
v0.105.1-beta.1
v0.105.0
v0.105.0-beta.5
v0.105.0-beta.4
v0.105.0-beta.3
v0.105.0-beta.2
v0.105.0-beta.1
v0.104.3
v0.104.2
v0.104.1
v0.104.0
v0.104.0-beta3
v0.104.0-beta2
v0.104.0-beta1
v0.103.3
v0.103.2
v0.103.1
v0.103.0
v0.103.0-beta3
v0.103.0-beta2
v0.103.0-beta1
v0.102.0
v0.101.0
v0.100.9
v0.100.8
v0.100.7
v0.100.6
v0.100.5
v0.100.4
v0.100.3
v0.100.2
v0.100.1
v0.100.0
v0.99.3
v0.99.2
v0.99.1
v0.99.0
v0.98.1
v0.98.0
v0.97.1
v0.97.0
v0.96-hotfix
v0.96
v0.95-hotfix
v0.95
v0.94
v0.93
v0.92-hotfix2
v0.92-hotfix1
v0.92
v0.91
v0.9-hotfix1
v0.9
v0.1
Labels
Clear labels   
P1: Critical

   
P2: High

   
P3: Medium

   
P4: Low

   
UI

   
bug

   
cannot reproduce

   
compatibility

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
external libs

   
feature request

   
good first issue

   
help wanted

   
infrastructure

   
invalid

   
localization

   
needs investigation

   
performance

   
potential-duplicate

   
question

   
recurrent

   
research

   
snap

   
waiting for data

   
wontfix
No labels
P1: Critical
P2: High
P3: Medium
P4: Low
UI
bug
cannot reproduce
compatibility
dependencies
docker
documentation
duplicate
enhancement
enhancement
external libs
feature request
good first issue
help wanted
infrastructure
invalid
localization
needs investigation
performance
potential-duplicate
question
recurrent
research
snap
waiting for data
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/AdGuardHome#3270
No description provided.