Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wildcard SAN Certificate is not seen as matching a fqdn for webserver.domain #2277

Closed
RyeNCode opened this issue Feb 24, 2025 · 0 comments
Closed

Wildcard SAN Certificate is not seen as matching a fqdn for webserver.domain #2277

RyeNCode opened this issue Feb 24, 2025 · 0 comments

Comments

@RyeNCode
Copy link

Versions

  • Pi-hole: v6.0.4
  • AdminLTE: v6.0.1
  • FTL: v6.0.2

Platform

  • OS and version: 6.6.74+rpt-rpi-v8 # 1 SMP PREEMPT Debian 1:6.6.74-1+rpt1 (2025-01-27)
  • Platform: RaspberryPi

Expected behavior

When using a custom wildcard certificate, a configured domain that matches that wildcard's configured SAN should not produce a CERTIFICATE_DOMAIN_MISMATCH warning.
Certificate SAN: *.home.local
Configured webserver.domain in pihole.toml: "pihole.home.local"

Actual behavior / bug

When using a custom wildcard certificate, a matching configured domain results in a CERTIFICATE_DOMAIN_MISMATCH warning.

This occurs even when using the --read-x509 command line option:

$ pihole-FTL --read-x509 /certs/wildcard.home.local.pem
Reading certificate from /certs/wildcard.home.local.pem ...
Certificate (X.509):

  cert. version     : 3
  serial number     : 15:5F:E5:21:1F:1B:5C:64:B4:E7:B3:78:D9:B3:40:F4:72:D1:AD:7A
  issuer name       : ...snip..., CN=home.local
  subject name      : ...snip..., CN=*.home.local
  issued  on        : 2025-02-08 03:27:23
  expires on        : 2035-02-06 03:27:23
  signed using      : RSA with SHA-256
  RSA key size      : 2048 bits
  subject alt name  :
      dNSName : *.home.local

Public key (PEM):
-----BEGIN PUBLIC KEY-----
...snip...
-----END PUBLIC KEY-----

$ pihole-FTL --read-x509 /certs/wildcard.home.local.pem pihole.home.local
Reading certificate from /certs/wildcard.home.local.pem ...
Certificate does not match domain pihole.home.local

Steps to reproduce

Steps to reproduce the behavior:

  1. Create or use a wildcard certificate (eg: placed at /certs/wild.card.home.local)
  2. run $ pihole-FTL --read-x509 /certs/wildcard.home.local.pem pihole.home.local
  3. Observer that the certificate does not match domain

Alternate:

  1. Create or use a wildcard certificate
  2. configure pihole to use the certificate by setting webserver.tls.cert to the wildcard certificate
  3. restart the pihole-FTL service
  4. Observe the warning in the Web Interface Tools>Diagnostics: CERTIFICATE_DOMAIN_MISMATCH SSL/TLS certificate /certs/wildcard.home.local.pem does not match domain pihole.home.local!

Debug Token

  • URL:

Screenshots

Additional context

I traced into the x509.c source file. I believe the method check_wildcard_domain incorrectly uses the passed san_len as the number of characters to compare with strncasecmp. Since the characters to be compared are 1 character shorter than the full san (excluding the leading *) the length to be compared should also be shorted by 1 character.
The string: ".home.local" is 11 characters without a null terminator. san_len is 12. strncasecmp is being asked to compare past the end of our domain and SAN.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@RyeNCode