Custom TLS for Pihole v6 - how to install your own certificate?

Mr_Flibble · February 21, 2025, 7:40pm

I have been running my own TLS certificates on my network for a while, and they work well (See this old post):

Has anyone got their own certificates working with v6? (I haven't seen any posts suggesting anyone has a solution yet).

With pihole v6, all my old TLS updates fail to work - I was running the following script to keep my certificates up to date:

#!/bin/sh

# Stop lighttpd so we can use challenge on port 80:
/usr/sbin/service lighttpd stop

# Get a new cert (every 16 hours, via cron):
# Use standalone mode to bind to port 80 or it will fail to renew
sudo /usr/bin/certbot renew --preferred-challenges http --standalone

# combine so pihole lighttpd can read:
cat /etc/letsencrypt/live/primarydns.home.lan/privkey.pem  /etc/letsencrypt/live/primarydns.home.lan/cert.pem | tee /etc/letsencrypt/live/primarydns.home.lan/combined.pem

# chmod so new file can be read by webserver
chown www-data -R /etc/letsencrypt/live

# Restart http (is this truly needed?) - yes, because we have to kill it for the challenge!
/usr/sbin/service lighttpd start

So clearly, this is way out of date because so many things have changed. I have been unable to generate a new certificate because I am faced with a race condition - to create the new cert I need to disable port 80 for the challenge with:

pseudocode:

systemctl stop pihole-FTL.service
# This fails because the above also kills DNS, so the CA can't find the system
sudo /usr/bin/certbot renew --preferred-challenges http --standalone

cp /etc/letsencrypt/live/raspprinter.home.lan/privkey.pem /etc/pihole/<SOMETHING>
cp /etc/letsencrypt/live/raspprinter.home.lan/cert.pem /etc/pihole/<SOMETHING>
cp /etc/letsencrypt/live/raspprinter.home.lan/combined.pem /etc/pihole/<SOMETHING>
chown www-data -R /etc/letsencrypt/live

systemctl start pihole-FTL.service

It may now be possible to use .txt records with the REST API - that was not possible with version 5 - I may need to adjust for that. Better than bringing the interface down.

nero355 · February 21, 2025, 7:58pm

There seems to be some progress in another topic : Own TLS certificate not used

Does that help a bit ?!

Mr_Flibble · February 21, 2025, 7:59pm

So, next steps, I found that you can edit the ports that are running in /etc/pihole/pihole.toml

port = "443os" ### CHANGED, default = "80o,443os,[::]:80o,[::]:443os"

However, removing port 80 seems to have broken things. DNS Still works, but the web interface does not. It throws a 403, so it is up, but not responding properly.

So, getting closer - I can at least renew the certificates when port 80 is down.

Mr_Flibble · February 21, 2025, 8:02pm

Yes! I have been referencing that thread; however, my use case is a little different as I am using passive certificate revocation, and I have my own CA.

nero355 · February 21, 2025, 8:07pm

I have used the Pi-Hole v6 Beta exclusively on port = 443os and it ran just fine, even after deleting the TLS files in /etc/pihole/ and then restarting pihole-FTL so it would generate a new certificate based on the Hostname+Domain Settings Values entered

Mr_Flibble · February 21, 2025, 8:09pm

What does your line look like in pihole.toml? If I remove port 80, it ceases working for me. I can use port 443 - but only when port 80 is enabled.

nero355 · February 21, 2025, 8:15pm

It was a Live ISO Testing Environment that's shut down now so I can't tell you sadly

IIRC it was this :

port = "443s"

The documentation of the webserver (Civetweb) software used by Pi-Hole mentions this too :

Mr_Flibble · February 21, 2025, 8:27pm

Ok, I think I got it - I may have had a typo? I went with 443s only, and it now works. As for making the certificate work, here is the basis of my cert renewal code:

#!/bin/sh

sudo /usr/bin/certbot renew --preferred-challenges http --standalone

# hostname is raspprinter
cat /etc/letsencrypt/live/raspprinter.home.lan/privkey.pem  /etc/letsencrypt/live/raspprinter.home.lan/cert.pem | tee /etc/letsencrypt/live/raspprinter.home.lan/combined.pem

# I created a ssl directory in pihole for this:
cp /etc/letsencrypt/live/raspprinter.home.lan/privkey.pem /etc/pihole/ssl/
cp /etc/letsencrypt/live/raspprinter.home.lan/cert.pem /etc/pihole/ssl/
cp /etc/letsencrypt/live/raspprinter.home.lan/combined.pem /etc/pihole/ssl/

Then, in pihole.toml:

# Under the [dns] stanza:

domain = "home.lan" ### CHANGED, default = "lan"

cert = "/etc/pihole/ssl/combined.pem" ### CHANGED, default = "/etc/pihole/tls.pem"

piholePTR = "HOSTNAMEFQDN". ### CHANGED, default piholePTR = "PI.HOLE"

#Under the [webserver] stanza

domain = "raspprinter.home.lan" ### CHANGED, default = "pi.hole"

port = "443os" ### CHANGED, default = "80o,443os,[::]:80o,[::]:443os"

This isn't the full solution, but it is very close.

Mr_Flibble · February 21, 2025, 8:52pm

At this point, if I connect using the IP, all the dashboards work:

Whereas, when using the full domain nothing loads:

At least the web server is reading the certificate at least.

Mr_Flibble · February 21, 2025, 9:24pm

Final missing bit is that the way I joined the components seems not to be to the liking of version 6.

cat /etc/pihole/ssl/privkey.pem /etc/pihole/ssl/fullchain.pem > /etc/pihole/ssl/combined.pem

Changing how I built combined.pem seems to have fixed everything!

jestep · February 28, 2025, 12:15am

I followed all of this and it does not seem to work on the browser side. But if I curl the https for my pi it seems to work.

Mr_Flibble · February 28, 2025, 12:28am

What are you trying to do? My post is specific to having my own local CA from Small-Step.

jestep · February 28, 2025, 12:29am

Yes, that is the same thing I was doing. However, I just realized, since I tried on a different PC, it is working SO no idea why it isn't working on my PC But thank you for your write up, it works lol

system · March 21, 2025, 12:30am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.