Not able to update even via cli, got error tls: failed to verify certificate: x509: certificate signed by unknown authority

[KetanM94]

Prerequisites

• I have checked the Wiki and Discussions and found no answer

• I have searched other issues and found no duplicates

• I want to report a bug and not ask a question or ask for help

• I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)

Platform (OS and CPU architecture)

Custom (please mention in the description)

Installation

GitHub releases or script from README

Setup

On one machine

AdGuard Home version

0.107.48

Action

I'm running AdGuardHome in Termux on an Android device(ARMv7). I'm using Linux ARMv7 build.
I am unable to update via Web UI. So I tried using the cli command to update. But got tls: failed to verify certificate: x509: certificate signed by unknown authority error. I can't update the filters as well.

Expected result

~ $ AdGuardHome/AdGuardHome --update
2024/05/16 03:44:32.463976 [info] AdGuard Home, version v0.107.48
2024/05/16 03:44:32.485535 [info] tls: using default ciphers
2024/05/16 03:44:32.491837 [info] safesearch default: disabled
2024/05/16 03:44:32.496500 [info] dnsproxy: cache: enabled, size 4096 b
2024/05/16 03:44:32.496893 [info] dnsproxy: max goroutines is set to 300
2024/05/16 03:44:32.498506 [info] dnsproxy: cache: disabled
2024/05/16 03:44:32.498720 [info] Ratelimit is enabled and set to 100 rps, IPv4 subnet mask len 24, IPv6 subnet mask len 56
2024/05/16 03:44:32.498797 [info] dnsproxy: server will refuse requests of type ANY
2024/05/16 03:44:32.498852 [info] dnsproxy: cache: enabled, size 4000000 b
2024/05/16 03:44:32.498908 [info] dnsproxy: max goroutines is set to 300
2024/05/16 03:44:32.499129 [info] cmdline update: performing update
2024/05/16 03:44:32.499323 [info] clients: processing addresses
2024/05/16 03:44:33.129739 [info] no updates available

Actual result

~ $ AdGuardHome/AdGuardHome --update
2024/05/16 03:37:43.516501 [info] AdGuard Home, version v0.107.48
2024/05/16 03:37:43.555290 [info] tls: using default ciphers
2024/05/16 03:37:43.562743 [info] safesearch default: disabled
2024/05/16 03:37:43.569751 [info] dnsproxy: cache: enabled, size 4096 b
2024/05/16 03:37:43.570219 [info] dnsproxy: max goroutines is set to 300
2024/05/16 03:37:43.575992 [info] dnsproxy: cache: disabled
2024/05/16 03:37:43.576614 [info] Ratelimit is enabled and set to 100 rps, IPv4 subnet mask len 24, IPv6 subnet mask len 56
2024/05/16 03:37:43.576926 [info] dnsproxy: server will refuse requests of type ANY
2024/05/16 03:37:43.577298 [info] dnsproxy: cache: enabled, size 4000000 b
2024/05/16 03:37:43.577598 [info] dnsproxy: max goroutines is set to 300
2024/05/16 03:37:43.578408 [info] cmdline update: performing update
2024/05/16 03:37:43.578600 [info] clients: processing addresses
2024/05/16 03:37:43.942643 [error] getting version info from https://static.adtidy.org/adguardhome/release/version.json: updater: HTTP GET https://static.adtidy.org/adguardhome/release/version.json: Get "https://static.adtidy.org/adguardhome/release/version.json": tls: failed to verify certificate: x509: certificate signed by unknown authority

Additional information and/or screenshots

No response

[KetanM94]

I tested with version 0.107.46 and can do update through both Web UI and cli. Seems like a regression.
I was able to update via cli on 0.107.48 by using this env variable: SSL_CERT_DIR="/system/etc/security/cacerts/".
~ $ SSL_CERT_DIR="/system/etc/security/cacerts/" AdGuardHome/AdGuardHome --update
Looks like the latest updates do not pick the CA certificates path for Android.

[FNsi]

How?
For me it's not working 😅

I updated the last release (108 version) today to use quic in my old 3.xx kernel, but it didn't work,

and I feel so bad it made x509 unknown authority even in my normal dns server queries

What a surprise 🙅

[KetanM94]

@FNsi
Are you running in Termux?
Then you can just run like
SSL_CERT_DIR="/system/etc/security/cacerts/" /path/to/AdGuardHome

If running as root in Termux then
sudo SSL_CERT_DIR="/system/etc/security/cacerts/" su -c /path/to/AdGuardHome

I'm running it on 3.10 kernel if that helps.

[FNsi]

If running as root in Termux then
sudo SSL_CERT_DIR="/system/etc/security/cacerts/" su -c /path/to/AdGuardHome

Thank u, but
Not working for me. The problem is I was facing that one month ago, before updating
. But I can query the dns, only the filters be affected, then omg after that update I still cannot use quic and I cannot query dns even through direct ip because of X509

[KetanM94]

If running as root in Termux then
sudo SSL_CERT_DIR="/system/etc/security/cacerts/" su -c /path/to/AdGuardHome

Thank u, but
Not working for me. The problem is I was facing that one month ago, before updating
. But I can query the dns, only the filters be affected, then omg after that update I still cannot use quic and I cannot query dns even through direct ip because of X509

Then your issue might be different. You can try version 0.107.46. I don't know if that supports quic.

[FNsi]

I removed the adgh from my old phone.

107.43 or older may somehow work(the one I used before today, I tried a lot updates in January, like situation I face today. Turn out I should use the very early version till the world end....)
Thanks for your help!

[ainar-g]

@KetanM94, we do not support running AGH on Android, and the error seem to indicate an issue with the local TLS certificate storage. Please make sure that your root certificates are updated.

Also, in Go 1.22 that directory seems to be included by default:

On Android, root certificates will now be loaded from /data/misc/keychain/certs-added as well as /system/etc/security/cacerts.

[KetanM94]

@KetanM94, we do not support running AGH on Android, and the error seem to indicate an issue with the local TLS certificate storage. Please make sure that your root certificates are updated.

Also, in Go 1.22 that directory seems to be included by default:

On Android, root certificates will now be loaded from /data/misc/keychain/certs-added as well as /system/etc/security/cacerts.

Yes. I suspected the same and updated the root certificates. But even after that I got same error.
I've been running AGH on Android since last 3 years with no issues. Last working version was 0.107.46
Will there be no support for Android in future?

[chermy]

Exactly the same issue here, those "cacerts" cant be deleted and i dont know why, tried close selinux and failed, other same folder can be read and written. Im running adguardhome under magisk using linux arm64 branch, it could not be worked since 0.107.47 was released.
I heard letsencrypt changed something at that time and i found a notice https://blog.cloudflare.com/upcoming-lets-encrypt-certificate-chain-change-and-impact-for-cloudflare-customers maybe it does matter? I have no idea because im not a pro with it, but it only affects old android devices, such as Android 7 and before. Im using crdroid a14...