from AbsolutelyClawless@piefed.social to selfhosted@lemmy.world on 21 Jun 14:47
https://piefed.social/c/selfhosted/p/2155952/pihole-behind-nginx-sudden-certificate-issue
I’ve been racking my brain the whole afternoon trying to figure out why when I try to access my Pihole over Web GUI suddenly I’m met with SEC_ERROR_UNKNOWN_ISSUER error.
My setup:
- Nginx (SWAG) runs on my server and routes all apps on the server, plus two separate devices (Unifi and Pihole)
- Pihole runs on a Raspi with a fixed IP
- Nginx conf points to Pihole’s IP on port 80 over http protocol.
This worked perfectly fine until several days ago (well, that’s when I noticed the issue). Now whenever I try to access Pihole over its FQDN (https://pihole.my.domain), I get the above error. The reason is mismatched certs, i.e. my browser fetches Pihole’s self-signed cert and doesn’t see my domain’s cert at all. However, this shouldn’t be happening at all. Nginx conf points to Pihole’s port 80, not port 443. To further confirm this, I temporarily disabled port 443 on the Pihole and only served on port 80, which made Pihole web inaccessible over Nginx. I thought maybe Unifi is the culprit, but I can still reach the Web GUI over http://pihole.my.domain and http://pihole-IP through my browser. I have several other apps on the server that use port 80, and Nginx has no issue routing them.
Anyone has any idea what might be happening here?
threaded - newest
Can you confirm that the DNS actually resolves to the NGINX IP address (and only that address) when you use PiHole’s FQDN? It sounds like it’s bypassing the proxy because it stopped working when you turned 443 off.
The FQDN resolves fine. I can still reach Pihole over https://pihole.my.domain and click on “Proceed to pihole.my.domain (Risky)”, but the browser fetches Pihole’s self-signed certificate instead of my.domain and throws a warning about certificate validity. Which it absolutely shouldn’t, because Nginx conf for Pihole points to port 80, not port 443.
Hm, looks like you’re right. For some reason it’s completely bypassing Nginx. Traceroute to all my other proxied services points to nginx.my.domain, except pihole, which points to pihole.my.domain. There have been no changes to my configuration, this is odd.
Edit: Local DNS Record for pihole.my.domain still points to nginx.my.domain.
What is your DNA setup like? A lot of dhcp clients are set up to register their name in DNS (if allowed). It could be your pihole server is hijacking it.
If you have multiple DNS servers (eg your home router and your lab) them you may not be getting the full picture.
Pihole is my DNS server (Unbound + Local).
I fixed it? After the issue appeared I changed Raspi’s hostname to FQDN, i.e. pihole.my.domain. So it sort of makes sense that it bypassed Nginx. I changed it back to how it was before (just “pihole” and instead of my.domain I added “home.arpa” as local domain). And now it’s back to normal. Which makes about zero sense to me, because I basically just changed it back how it was both before and after the issue started.
Thanks for the help! It didn’t even occur to me to look if Nginx was being bypassed.
Glad you got it working!
My hypothesis is that it was DNS (channeling Jeff Geerling here). Since Pihole is your DNS (makes sense), it may have recognized that address as its own and given you its IP. By resolving the naming collision, you fixed the problem because the name is now unambiguous.
These problems can happen very easily when you’re using DHCP and sharing a network and domain name between your clients and upstreams, so I think using home.arpa for one and your other domain for the other was a good idea.
The bizarre thing is I already had it set up in a way it shouldn’t have hijacked it. Worked perfectly fine for a long time. Evil DNS forces at it again!