Can't enable https with self-signed certificate

MrByte · October 30, 2023, 10:14pm

Expected Behaviour:

I'm running my Pi-hole (Pi-hole v5.17.2, FTL v5.23 and Web Interface v5.20.2) in Ubuntu Server 22.04, this server is a Proxmox VM. I want to enable HTTPS access to the Pi-hole Admin-Web-Interface via a self-signed SSL certificate.

Actual Behaviour:

That's what I've done:

Installed the lighttpd-mod-openssl package.
I ensured the lighttpd user www-data can read the required certificates:
sudo chown www-data -R /etc/lighttpd/ssl
I created the certificates with two ways:
Option 1, run the command:
openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/lighttpd/ssl/pihole-selfsigned.key -out /etc/lighttpd/ssl/pihole-selfsigned.crt
I combined the files to obtain a pem file:
cat pihole-selfsigned.key > piholecert.pem cat pihole-selfsigned.crt >> piholecert.pem
Option 2, I ran a script to obtain the needed pem files, this script is published on the lunarwatcher post.
I configured the external.conf file following these tutorials, with different combinations:
Enabling HTTPS for your Pi-hole Web Interface (I also read all the entire thread).
Configure Pi-hole SSL using a self-signed certificate - Virtualization Howto
HTTPS enabled on Pi-hole web interface • Michaël Rigart
Setting up SSL with pihole, without a FQDN | Olivia's blog
I restarted lighttpd server.

After trying a lot of things, it has been impossible to enable https for my Pi-hole.

Debug Token:

https://tricorder.pi-hole.net/glAQFC8n/

Thank you very much and best regards!!

rdwebdesign · October 31, 2023, 10:15pm

The file /etc/lighttpd/external.conf is not used if you did a fresh install
(this file was used in older versions and will be only read if you are updating from versions prior to v5.15).

If you did a fresh install, every custom config file should be in /etc/lighttpd/conf-enabled/.

You can try to adapt the file you created and move it to: /etc/lighttpd/conf-enabled/20-pihole-external.conf (you can name the file as you like, but the files are loaded in alphabetical order).

MrByte · November 1, 2023, 2:44pm

Yeeeah, after fighting for one week, now it's working!!! 1.000.000 thanks for your help!!!!

That's what I've done:

I've created the folder /etc/lighttpd/ssl and ran the commands for the certificates:

openssl req -newkey rsa:2048 -nodes -keyout pihole.key -x509 -days 365 -out pihole.crt

cat pihole01.key pihole01.crt > combined.pem

Next, I've ensured the lighttpd user www-data can read the required certificates:

sudo chown www-data -R /etc/letsencrypt/live

I've created the file /etc/lighttpd/conf-enabled/20-pihole-external.conf with this content inside:

   #Loading openssl
server.modules += ( "mod_openssl" )

setenv.add-environment = ("fqdn" => "true")
$SERVER["socket"] == ":443" {
	ssl.engine  = "enable"
	ssl.pemfile = "/etc/lighttpd/ssl/combined.pem"
	ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-ServerPreference")
}

# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}

Finally, I've executed:
systemctl restart lighttpd.service

And voilà, https enabled:

Again, @rdwebdesign thank you very much!!

Best regards.