Enabling HTTPS for your Pi-hole Web Interface

DanSchaper · November 11, 2020, 9:16pm

server.modules += (
   "mod_openssl"
)

DanSchaper · November 11, 2020, 9:17pm

Ignore it.

cyberjew · November 11, 2020, 9:50pm

That did the trick!

server.modules += (
   "mod_openssl"
)

Thanks!

mengelsen · December 3, 2020, 2:38am

Will I run into issues if I attempt to use a (SSL) Wildcard certificate within the external.conf file?
ssl.pemfile = "/path/to/WildcardCertWithKey.pem"

After editing the external.conf file I tried testing the "lighttpd.conf" file as follows:

root@pi:~# lighttpd -f /etc/lighttpd/lighttpd.conf -tt
Enter PEM pass phrase: <PEM passphrase goes here>
(server.c.1493) WARNING: unknown config-key: alias.url (ignored)

Based on the output, everything seems to be "OK".
That being said, I am slightly concerned that I was prompted for the PEM pass phrase.
How is the lighttpd service supposed to run, if it doesn't know the passphrase to the PEM file?!?

What concerns me more is that I am unable to get the lighttpd service running.
As soon as I delete the contents of the external.conf file, I can (successfully) restart the lighttpd service.

Am I missing something obvious?
Many thanks!!!

root@pi:~# service lighttpd restart
Job for lighttpd.service failed because the control process exited with error code.
See "systemctl status lighttpd.service" and "journalctl -xe" for details.

root@pi:~# systemctl status lighttpd.service
**●** lighttpd.service - Lighttpd Daemon
Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; vendor preset: enabled)
Active: **failed** (Result: exit-code) since Wed 2020-12-02 21:14:56 EST; 5s ago
Process: 11734 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf **(code=exited, status=255/EXCEPTION)**
Dec 02 21:14:56 pi systemd[1]: lighttpd.service: Service RestartSec=100ms expired, scheduling restart.
Dec 02 21:14:56 pi systemd[1]: lighttpd.service: Scheduled restart job, restart counter is at 5.
Dec 02 21:14:56 pi systemd[1]: Stopped Lighttpd Daemon.
Dec 02 21:14:56 pi systemd[1]: **lighttpd.service: Start request repeated too quickly.**
Dec 02 21:14:56 pi systemd[1]: **lighttpd.service: Failed with result 'exit-code'.**
Dec 02 21:14:56 pi systemd[1]: **Failed to start Lighttpd Daemon.**

Situstarget · December 25, 2020, 11:31pm

Hi, I would like to ask about this topic, I already make HTTPS but when I access the ip address. My IP Address not redirect to My HTTPS FQDN. Is there any way to redirect from pihole Web Admin IP Address to FQDN? Thank you.

note_note5 · April 1, 2021, 12:27am

I couldn't do a week. My Domain address is available in Cloudflare. Works with Raspberry Apache2 at home. However, I couldn't integrate the pihole SSL as HTTPS. Cloudflare gave me the Origin Certificate, Private Key files. My file in the settings you are doing is like it doesn't sleep. CLOUDFLARE SSL files for any settings? My English is my apologies.

craph · May 8, 2021, 9:17pm

@DanSchaper , @WaLLy3K ,

Is it possible to do the same when we are using pi-hole in Docker ?

I’m unabie to find any documentation to do that when we use Docker pi-hole.

Is it possible to have the same FAQ for docker with Caddy for example ?

Thank you very much for your help.

Best regards,

Thomas_Merz · May 14, 2022, 7:25am

With a docker image newer or equal to 2022.04.01 this setting doesn't work anymore.

See With latest docker-image (2022.04.01) Web-GUI (https) doesn't work anymore: ./run: line 32: Segmentation fault lighttpd -D -f /etc/lighttpd/lighttpd.conf · Issue #1046 · pi-hole/docker-pi-hole · GitHub for details.

TL;DR:

#Loading openssl
server.modules += ( "mod_openssl" )

setenv.add-environment = ("fqdn" => "true")
$SERVER["socket"] == ":443" {
	ssl.engine  = "enable"
	ssl.pemfile = "/etc/lighttpd/combined.pem"
	ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-ServerPreference")
}

# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
        $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
        }
}

Thanks to Theliel · GitHub who found out how to fix this

Bucking_Horn · July 17, 2022, 6:33am

6 posts were split to a new topic: SSL configuration not working for lighttpd

ckhordiasma · August 9, 2022, 2:40pm

hello, I just went through this tutorial and I ran into an issue where I would get a SSL_ERROR_INTERNAL_ERROR_ALERT when I tried to access my pihole admin UI (lighttpd was up and running fine, though)

After doing some research into lighttpd docs, I found that in newer versions of lighttpd, the ssl.ca-file option is deprecated, and instead you need to be putting your full CA certificate chain + certificate + private key all in one file, which ssl-pemfile should point to. Once I did that and restarted lighttpd, https started working as expected.

My external.conf file now looks like

$HTTP["host"] == "pihole.example.com" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/PATH/TO/combined_fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

Thomas_Merz · September 2, 2022, 7:46pm

Someone (@DanSchaper , @yubiuser, … ?) might want to update Remove 443 from example yaml/readme and scripts. · Issue #755 · pi-hole/docker-pi-hole · GitHub regarding how to use port 443 for a secure remote access without a VPN…!?

Or does anyone wants a PR for an example for this scenario?

Jacques_Laroche · October 24, 2022, 1:20pm

I just went through the tutorial very carefully and it doesn't work. Always receive errors when restarting / attempting to start up lighttpd.

What I tried:

I gave access to the location where I placed the cert(s):
sudo chown www-data -R /etc/lighttpd/ssl
I chained together my Private key and Cert File into one file with .pem extension.
sudo cat privatekey.key certfile.crt | sudo tee combinedfiles.pem
I chained together all my intermediate certs into one file with a .pem extension.
sudo cat intermediateCA1.crt intermediateCA2.crt | sudo tee combinedCAfiles.pem
I tried with and without the CA file within with lighttpd external.conf file (as that was stated to be deprecated by someone in the comments).

Any assistance would be welcomed.

DanSchaper · October 24, 2022, 11:07pm

What errors are you seeing?

rdwebdesign · October 25, 2022, 5:20am

Official lighttpd SSL documentation:

Ethan0 · November 2, 2022, 11:17pm

This doesn't work for me. The lighttpd daemon doesnt run after setting up ssl

MikeDaPsych · November 3, 2022, 5:16pm

Following the above instructions, I'm seeing the following when I restart lighttpd:

Warning: please add "mod_openssl" to server.modules list in lighttpd.conf. A future release of lighttpd 1.4.x will not automatically load mod_openssl and lighttpd will not use SSL/TLS where your lighttpd.conf contains ssl.* directives

Adding "mod_openssl" to my lighttpd.conf resolves the issue:

server.modules = (
"mod_access",
"mod_accesslog",
"mod_auth",
"mod_expire",
"mod_redirect",
"mod_setenv",
"mod_rewrite",
"mod_openssl" <<<
)

rdwebdesign · November 4, 2022, 5:46pm

Do not edit this file.

Changes made to lighttpd.conf will be overwritten on the next update (or if you execute a repair).
You need to add the module using external.conf file.

Try to add this to external.conf:

server.modules += (
  "mod_openssl"
)

Bucking_Horn · December 10, 2022, 7:08pm

A post was split to a new topic: Sneak peaks for updates?

mckinnon81 · December 20, 2022, 3:16am

For anyone else trying to do this and getting errors after following this guide.

Just make sure you have the package "lighttpd-mod-openssl" installed. Once I installed this package then following the guide everything worked.