Enabling HTTPS for your Pi-hole Web Interface

The hostname/FQDN needs to be presented in the pem cert as a Subject CN (Common name) or as a SAN (Subject alternative name):

pi@noads:~ $ openssl x509 -in pi.hole.pem -noout -text
[..]
        Issuer: C = US, ST = MN, L = Minneapolis, OU = Domain Control Validated, CN = some.cert.signer.ca
[..]
        Subject: C = US, ST = MN, L = Minneapolis, OU = Domain Control Validated, CN = noads.dehakkelaar.nl
[..]
            X509v3 Subject Alternative Name:
                DNS:pi.hole
[..]

C=US ST=WY L=Sheridan

I just blindly entered through those settings using openssl defaults.
They dont matter anyway :wink:

EDIT:
http://apetec.com/support/GenerateSAN-CSR.htm

Been staring at this for bout half an hour trying to find cryptic hidden message :wink:

No offense but this isnt the first or the last certificate Ive made.

I just checked it anyways and it is correct: Its in the CN and the SAN.

Also like I mentioned, If I go to the IP, it works correctly.

And you get the right cert presented ? (substitute <IP_ADDRESS_OR_DOMAIN_HERE>)

echo | openssl s_client -connect <IP_ADDRESS_OR_DOMAIN_HERE>:443 2>/dev/null | openssl x509 -text -noout

If I use = for wildcard, I get thus far:

WhY danSC===er U STLSi

For the CSR. Country is US, State is WY, Locality is Sheridan

Yeah but whats the cryptic part ?

:wink:

I don’t understand what you mean?

That makes two :smiley:
I dont understand relevance of below posting:

Thats why I was looking for cryptic hidden message :wink:

@riahc3 , forgot to mention, you could run below one too to see cert details presented like CN & SAN:

curl -Iv https://<DOMAIN>

Sometimes results differ from using openssl when inspecting a socket depending on how the web server is configured.

1 Like

From the cert:
Issuer: C = US, ST = MN, L = Minneapolis, OU = Domain Control Validated, CN = some.cert.signer.ca

Yeah that was a cert I created once for testing.
When the questions came about location, I just pressed enter to accept defaults :wink:

Those are defaults? Oh, I thought you were putting in the location of where Pi-hole was first created!

2 Likes

Something must have changed in meantime (updated openssl or something) as I cant reproduce:

pi@noads:~/tmp $ openssl req -new -out pi.hole.csr -key pi.hole.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:pi.hole
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

pi@noads:~/tmp $ openssl req -text -noout -in pi.hole.csr
[..]
        Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = pi.hole

Now we know :wink:

zbpT52U_

I’ll remember from now on :smiley:
Nice shield btw!

1 Like

Thanks for the tip.

I get the same error as Chrome.

So, what would be the next step? The certificate is working as if I go to the IP it works…I inspect the certificate in Chrome and it is indeed that certificate with the CN and SAN…

I added the CA to CentOS 7 as well just in case but still nothing.

1 Like