Inspired by this blog post: Be the LetsEncrypt in your homelab with step-ca - Jan Wildeboer’s Blog I've set up a local CA for my homelab.
Here's how I got the TLS certificate issuing and renewal working on my Pi-hole instance running in an Alpine Linux VM.
To manage the certificates I'm using acme.sh which is available in Alpine Linux's sw repositories.
To be able to use the HTTP challenge, it is necessary to remove port 80 from Pi-hole configuration: in All Settings -> Webserver and API -> webserver.port remove references to port 80.
Then, as root, issue the following command:
alpine:~# /usr/bin/acme.sh --issue --server 'https://ca.yourcahostname.internal:4443/acme/acme/directory' -d 'pi.hole' --standalone --certpath /etc/pihole/tls.crt --keypath /etc/pihole/cert.key --capath /etc/pihole/tls_ca.crt
For Pi-hole, the file /etc/pihole/tls.pem must include also the private key as reported here: Custom TLS for Pihole v6 - how to install your own certificate?
alpine:~# cat /etc/pihole/cert.key /etc/pihole/tls.crt /etc/pihole/tls_ca.crt > /etc/pihole/tls.pem
Then the service pihole-FTL has to be restarted:
alpine:~# rc-service pihole-FTL restart
To ensure automatic certificate renewal, install the cron job
alpine:~# acme.sh --install-cronjob
create a script to be executed after renewal /root/.acme.sh/post_renew.sh
#!/bin/sh
/bin/cat /etc/pihole/cert.key /etc/pihole/tls.crt /etc/pihole/tls_ca.crt > /etc/pihole/tls.pem
/sbin/rc-service pihole-FTL restart
chmod +x /root/.acme.sh/post_renew.sh to allow executing, and edit the configuration file /root/.acme.sh/pi.hole_ecc/pi.hole.conf to add this script to post renewal hook:
Le_RenewHook='/root/.acme.sh/post_renew.sh'
If you have installed your local CA root certificate in your system, Pi-hole should appear having a valid HTTPS certificate.