server.modules += (
"mod_openssl"
)
Ignore it.
That did the trick!
server.modules += (
"mod_openssl"
)
Thanks!
Will I run into issues if I attempt to use a (SSL) Wildcard certificate within the external.conf file?
ssl.pemfile = "/path/to/WildcardCertWithKey.pem"
After editing the external.conf file I tried testing the "lighttpd.conf" file as follows:
root@pi:~# lighttpd -f /etc/lighttpd/lighttpd.conf -tt
Enter PEM pass phrase: <PEM passphrase goes here>
(server.c.1493) WARNING: unknown config-key: alias.url (ignored)
Based on the output, everything seems to be "OK".
That being said, I am slightly concerned that I was prompted for the PEM pass phrase.
How is the lighttpd service supposed to run, if it doesn't know the passphrase to the PEM file?!?
What concerns me more is that I am unable to get the lighttpd service running.
As soon as I delete the contents of the external.conf file, I can (successfully) restart the lighttpd service.
Am I missing something obvious?
Many thanks!!!
root@pi:~# service lighttpd restart
Job for lighttpd.service failed because the control process exited with error code.
See "systemctl status lighttpd.service" and "journalctl -xe" for details.
root@pi:~# systemctl status lighttpd.service
**●** lighttpd.service - Lighttpd Daemon
Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; vendor preset: enabled)
Active: **failed** (Result: exit-code) since Wed 2020-12-02 21:14:56 EST; 5s ago
Process: 11734 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf **(code=exited, status=255/EXCEPTION)**
Dec 02 21:14:56 pi systemd[1]: lighttpd.service: Service RestartSec=100ms expired, scheduling restart.
Dec 02 21:14:56 pi systemd[1]: lighttpd.service: Scheduled restart job, restart counter is at 5.
Dec 02 21:14:56 pi systemd[1]: Stopped Lighttpd Daemon.
Dec 02 21:14:56 pi systemd[1]: **lighttpd.service: Start request repeated too quickly.**
Dec 02 21:14:56 pi systemd[1]: **lighttpd.service: Failed with result 'exit-code'.**
Dec 02 21:14:56 pi systemd[1]: **Failed to start Lighttpd Daemon.**
Hi, I would like to ask about this topic, I already make HTTPS but when I access the ip address. My IP Address not redirect to My HTTPS FQDN. Is there any way to redirect from pihole Web Admin IP Address to FQDN? Thank you.
I couldn't do a week. My Domain address is available in Cloudflare. Works with Raspberry Apache2 at home. However, I couldn't integrate the pihole SSL as HTTPS. Cloudflare gave me the Origin Certificate, Private Key files. My file in the settings you are doing is like it doesn't sleep. CLOUDFLARE SSL files for any settings? My English is my apologies.
@DanSchaper , @WaLLy3K ,
Is it possible to do the same when we are using pi-hole in Docker ?
I’m unabie to find any documentation to do that when we use Docker pi-hole.
Is it possible to have the same FAQ for docker with Caddy for example ?
Thank you very much for your help.
Best regards,
With a docker image newer or equal to 2022.04.01 this setting doesn't work anymore.
TL;DR:
#Loading openssl
server.modules += ( "mod_openssl" )
setenv.add-environment = ("fqdn" => "true")
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/combined.pem"
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-ServerPreference")
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
Thanks to Theliel · GitHub who found out how to fix this
6 posts were split to a new topic: SSL configuration not working for lighttpd
hello, I just went through this tutorial and I ran into an issue where I would get a SSL_ERROR_INTERNAL_ERROR_ALERT
when I tried to access my pihole admin UI (lighttpd was up and running fine, though)
After doing some research into lighttpd docs, I found that in newer versions of lighttpd, the ssl.ca-file
option is deprecated, and instead you need to be putting your full CA certificate chain + certificate + private key all in one file, which ssl-pemfile
should point to. Once I did that and restarted lighttpd, https started working as expected.
My external.conf
file now looks like
$HTTP["host"] == "pihole.example.com" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/PATH/TO/combined_fullchain.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
Someone (@DanSchaper , @yubiuser, … ?) might want to update Remove 443 from example yaml/readme and scripts. · Issue #755 · pi-hole/docker-pi-hole · GitHub regarding how to use port 443 for a secure remote access without a VPN…!?
Or does anyone wants a PR for an example for this scenario?
I just went through the tutorial very carefully and it doesn't work. Always receive errors when restarting / attempting to start up lighttpd.
What I tried:
- I gave access to the location where I placed the cert(s):
sudo chown www-data -R /etc/lighttpd/ssl
- I chained together my Private key and Cert File into one file with .pem extension.
sudo cat privatekey.key certfile.crt | sudo tee combinedfiles.pem
- I chained together all my intermediate certs into one file with a .pem extension.
sudo cat intermediateCA1.crt intermediateCA2.crt | sudo tee combinedCAfiles.pem
- I tried with and without the CA file within with lighttpd external.conf file (as that was stated to be deprecated by someone in the comments).
Any assistance would be welcomed.
What errors are you seeing?
Official lighttpd
SSL documentation:
This doesn't work for me. The lighttpd daemon doesnt run after setting up ssl
Following the above instructions, I'm seeing the following when I restart lighttpd:
Warning: please add "mod_openssl" to server.modules list in lighttpd.conf. A future release of lighttpd 1.4.x will not automatically load mod_openssl and lighttpd will not use SSL/TLS where your lighttpd.conf contains ssl.* directives
Adding "mod_openssl" to my lighttpd.conf resolves the issue:
server.modules = (
"mod_access",
"mod_accesslog",
"mod_auth",
"mod_expire",
"mod_redirect",
"mod_setenv",
"mod_rewrite",
"mod_openssl" <<<
)
Do not edit this file.
Changes made to lighttpd.conf
will be overwritten on the next update (or if you execute a repair).
You need to add the module using external.conf
file.
Try to add this to external.conf
:
server.modules += (
"mod_openssl"
)
A post was split to a new topic: Sneak peaks for updates?
For anyone else trying to do this and getting errors after following this guide.
Just make sure you have the package "lighttpd-mod-openssl" installed. Once I installed this package then following the guide everything worked.