Enabling HTTPS for your Pi-hole Web Interface


#21

I get that, but according to the tutorial this problem should not occur:

But this isn’t working as it should, as you can see it is conflicting with blocked HTTPS enabled domains.
What am I doing wrong?


#22

You will still get HTTPS errors when they are blocked, because you do not have a valid cert for that blocked domain.


#24

I just got this working after around an hour of playing around with it.

I’m running lighttpd/1.4.35 and PiHole v4.0 (latest) and here’s how I got it to work.\

I’m using acme.sh to do my Let’s Encrypt certificate stuff automatically through Cloudflare DNS.

add "mod_alias" to /etc/lighttpd/lighttpd.conf so it looks like

server.modules = (
        "mod_access",
        "mod_accesslog",
        "mod_auth",
        "mod_expire",
        "mod_compress",
        "mod_redirect",
        "mod_setenv",
        "mod_rewrite",
        "mod_alias"

)

I speculate that I will have to change this file every time I update PiHole now.

Then add external.conf as stated above

$HTTP["host"] == "url.FQDN.com" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/home/pi/.acme.sh/url.FQDN.com/combined.pem"
    ssl.ca-file =  "/home/pi/.acme.sh/url.FQDN.com/fullchain.cer"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

Finally, I was doing port forwarding from port 80 on this Raspberry Pi to a random port exposed to the world and I didn’t remember to change it from port 80 to 443 to get SSL to work correctly. So remember kids, change your port forwarding settings.


#26

Hi ! Thanks for this FAQ.

Could you kindly integrate an info?
Which owner, group and permission must I set for the following file ?

/etc/lighttpd/external.conf

Thanks in advance


#27

I had to modify the chaining

You use privkey + cert

I must use privkey + fullchain

This is because I’m using haproxy


#28

I have a similar question. I followed the guide and it should only be enabled for my pi-hole fqdn. However, I first tested it just giving the IP address and also with the IP address I get the cert error, so I’m expecting, also any other domain will get the cert shown? Shouldn’t it be only bound to the specific FQDN with the guide shown here?


#29

Yes, that is exactly what I meant!
I don’t know if @starbuck’s message is the solution?


#30

I now tried a bit around and it seems, that this is the expected behavior. As HTTPS get‘s enabled, there is a response on port 443, however the response is, that there is no response (port 443 „offline“) for all other sites. However, it looks not such fine, but there is no other solution like that and it won’t expire. Only alternative solution would be to issue certs for all blocked sites via an internal CA, but then it need to be spread out to all systems and it’s no good practice. I just wonder, why the IP is available, but maybe it’s because of missing any domain name.


#31

Thanks for the guide. I wanted my pihole admin interface to be reachable from both pihole.domain.local and pihole. The setting $HTTP["host"] == "pihole.domain.local" doesn’t allow multiple hostnames though.

My solution (after a bit of googling) was to replace that line with:

$HTTP["host"] =~ "pihole($|\.domain\.local)" {

This will use regex instead of an absolute setting (the regex just accepts pihole OR pihole.domain.local).

Note: this might be obvious, but make sure your cert has a SAN (Subject Alternate Name) containing the shortname as well as the FQDN. Otherwise the cert won’t be trusted/valid for the shortname.

Hope this helps anyone else looking to access their admin UI via the shortname or the FQDN.


Questions about using Let's Encrypt" to enable HTTPS for the Pi-hole Web Interface
#32

My question is can I use “Let’s Encrypt” to secure Pi-hole if I do NOT have any of these:
* a website
* FQDN (Fully Qualified Domain Name)
* a web server
* hosting provider
* VPS

So far, I just have a simple Raspberry Pi (with Pi-hole installed) attached to the home router and it block ads successfully.

I have no idea if I can make use of “Let’s Encrypt” to make Pi-hole more secure if I do not have any of the items in the list above.

Do I actually need “Let’s Encrypt” to secure Pi-hole if I do not have any of the items in the list above?

Please advise.

Thanks a million.


#33

You at least need a domain to get the Let’s Encrypt certificate for, and you need to be able to port-forward your Pi-hole’s web interface so that it can be accessed by that domain.