SSL certificate in AGH invalid

I am trying to set up SSL encryption for local requests between clients and the AGH server. I was able to generate a free certificate using ZeroSSL. Upon entering the path for the certificate, I get an error stating that the certificate chain is invalid. However, it shows the private key as being correct and valid (click image to see all details):

I do have a fully qualified domain name for use in this scenario.

What might I be missing? Is there anything that I need to modify within the DNS records of my domain name?

You need to add the CA cert into the chain as well, so the crt file should contain the CA of ZeroSSL and your server crt.

Hi admon,

Thank you for replying. So I used the ca_bundle.crt file that had both CAs and I was able to get a valid certificate chain. The error I am now facing is that the private key does not match the public key. Why is that?

You need to put your certificate and ca-chain in 1 file. That private key does not match the first certificate of your certificate chain. Is the first certificate in that file yours or of the CA? (Looking at the data it is your CA’s)

When I generated the certificate, I received 3 files. One named certificate.crt, another named ca_bundle.crt (I’m assuming this is the combined file you are talking about) and the third file is private.key.

Also wondering if I’m required to/should set a server name or is that not necessary?

So in this case, make a file with the contents of “certificate.crt” followed by the contents of “ca_bundle.crt”. That is the “certificates” it needs. The “private.key” should then be fine.

You could set the server name to what domain your certificate is issued for if you like.

I have a folder on the router located at /etc/AdGuardHome/certificates. Within this folder I have both ca_bundle.crt and certificate.crt, along with private.key. Are you saying to remove the private.key file from this folder? Upon doing so, the chain becomes invalid.

cat /etc/AdGuardHome/certificates/certificate.crt /etc/AdGuardHome/certificates/ca_bundle.crt > /etc/AdGuardHome/certificates/certificate_bundle.crt

That way /etc/AdGuardHome/certificates/certificate_bundle.crt contains both the contents of /etc/AdGuardHome/certificates/certificate.crt and /etc/AdGuardHome/certificates/ca_bundle.crt, which together form the certificate chain that Adguard needs.

Once you made that certificate bundle (By simple putting the contents of 2 file into 1 new file), AdGuard should no longer complain that your certificate chain is invalid and no longer complain that your private key does not match your certificate.

Thank you! It looks like this finally worked after putting the contents of the certificate.crt file before the contents of ca_bundle.crt within one file. However, AdGuard login is still showing as unsecure, and browser warning for invalid certificate is still showing after router restart. Thoughts?

Is there a way to apply this certificate to the router login page as well?

There is by replacing the nginx cert. But it’s not needed since it’s not insecure. I would simply ignore it, tbh.


Thanks admon. Even though everything appears to be setup properly on the Encryption settings page, it doesn’t appear that my local client DNS requests are going out via DoH. Do I need to do anything else in order to get it working? The query log still shows the protocol as plain DNS.

Does your local client support DoH?

I would think so, it’s a Mac Studio.

Not sure how to force DoH on macOS, sorry :frowning: