Certbot with Pihole

Dolores · June 4, 2018, 10:16pm

Hello Folks-

I'm trying to run the certbot challenge on a pi that I've been using with let's encrypt for a little over a year. I just recently installed pihole, so I am guessing that is why I am getting the error run below when running the certbot challenge (I'm a total noob, so, well, guessing). I tried disabling pihole with pihole disable , but it appears that that just disables ad-blocking, not the dns server itself. Is there a way to temporarily switch back to using my router's default as the dns server for my pi just while I run the challenge?

Expected Behaviour:

Pass certbot challenge

Actual Behaviour:

"Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6."

technicalpyro · June 4, 2018, 10:19pm

pihole require three ports
53 for DNS
80 for HTTP
4711 for FTL

there are ways around this but they generally involve a reverse proxy and are not officially supported

Dolores · June 4, 2018, 10:29pm

Thank you for the response! Is there any way I can make them available just briefly? Some force stop of pihole or something.

DanSchaper · June 4, 2018, 10:31pm

If you want to briefly enable port 80 for the certbot challenge, then you can stop the lighttpd server that is holding that port. Try sudo systemctl stop lighttpd.service or if that does not work, try sudo service lighttpd stop.

Dolores · June 4, 2018, 11:57pm

That did it! Thank you both! Once I passed the challenge I restarted the service and reenabled pihole.

technicalpyro · June 5, 2018, 3:29am

if it is a timed event you could write a cron to disable it and enable once completed as well just some food for thought to saveyou some time

Tntdruid · June 5, 2018, 7:10am

I use GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol no need to use any ports, just use dns mode and cloudflare dns

mushu · June 5, 2018, 12:29pm

Guessing you're using Let's Encrypt for a web cert. They expire every three months so you will have to go through this four times a year. Might want to cron job it to enable port 80, then renew your cert, then restart lighttpd. Also good to script it to email you with success or failure.

deHakkelaar · June 5, 2018, 5:01pm

I have a default cron job installed for renewal:

$ cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew

Could alter that last line into:

~~0 */12 * * * root service lighttpd stop && test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew || service lighttpd start~~

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && service lighttpd stop && certbot -q renew; service lighttpd start

But have to keep in mind that if the certbot package gets updated, the crontab could be defaulted again!

EDIT: I altered the crontab a bit as you dont want lighttpd to be down the whole "sleep int(rand(3600))" period.

system · June 26, 2018, 5:01pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.