Feature Idea - Separate SSL certificate and key files

Blockhead · October 15, 2023, 10:03pm

6.0 presently uses a combined .pem that contains the certificate and key. Certbot provides a full certificate file and a separate key file.

Certbot can automatically renew certificates before the three month expiration. But, due to the need for a combined file in 6.0, certbot cannot be used to automatically renew the certificate, as far as I know.

Changes would have to be made to pihole.toml to allow a user to specify the .pem files (users would then point to the certbot storage locations). Some logic would then have to concatenate those files before serving the webpage (or after some other regular have files changed check). It also might effect the 6.0's self generated certificate and how that is done.

Thoughts?

Blockhead · October 16, 2023, 3:47pm

We could be waiting a while for certbot to help:

https://github.com/certbot/certbot/issues/5087

In any event, there may be some ideas in that amusing commentary for self-help in case this feature isn't added (here or to certbot).

DanSchaper · October 16, 2023, 4:19pm

Are you aware of the https://acme.sh way to generate certificates? You can output to pfx12 with that process. I haven't used certbot directly in a long time, acme.sh does just about everything related to certificate generation. And it's all bash so I have a bit of a soft spot for it.

Blockhead · October 16, 2023, 4:48pm

Thanks for the tip. I'll give it a spin. It looks like it runs a daily chron job to check for renewal. Possibly still need to add another chron job for the concatenation, as the wiki doesn't suggest there's a combined fullchain+key file.

DL6ER · October 16, 2023, 5:08pm

The current limitation that everything has to be in one file comes straight from CivetWeb and isn't something we could easily change without either a patch to CivetWeb (which may break for future upgrades) or adding a preprocessing step which also seems quite hacky

Path to the SSL certificate file. This option is only required when at least one of the listening_ports is SSL. The file must be in PEM format, and it must have both, private key and certificate, see for example ssl_cert.pem A description how to create a certificate can be found in doc/OpenSSL.md

source: UserManual.md#ssl_certificate

As the certificate is kept in memory anyway (for performance reasons), you'll anyway have to restart FTL to make it load a (re)new(ed) certificate/key file. Then you could also have

cat certfile > pihole.pem
cat keyfile >> pihole.pem

in the same script.

DanSchaper · October 16, 2023, 6:07pm

Check the --to-pkcs12 and --to-pkcs8 flags, those concatenate and optionally add a password.

github.com/acmesh-official/acme.sh

acme.sh

377a37e4c


      
          
            _toPkcs "$CERT_PFX_PATH" "$CERT_KEY_PATH" "$CERT_PATH" "$CA_CERT_PATH" "$pfxPassword"
          
            if [ "$?" = "0" ]; then
              _info "Success, Pfx is exported to: $CERT_PFX_PATH"
            fi
          
          }
          
          #domain [isEcc]
          toPkcs8() {
            domain="$1"
          
            if [ -z "$domain" ]; then
              _usage "Usage: $PROJECT_ENTRY --to-pkcs8 --domain <domain.tld> [--ecc]"
              return 1
            fi
          
            _isEcc="$2"
          
            _initpath "$domain" "$_isEcc"

${ACME_OPENSSL_BIN:-openssl} pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in "$CERT_KEY_PATH" -out "$CERT_PKCS8_PATH"

You can also do a post-processing command that is run after a new cert is generated, --reloadcmd that is meant to restart the webserver daemon.

Blockhead · October 16, 2023, 9:51pm

@DL6ER @DanSchaper

acme.sh works great. If you have access to a domain on acme.sh's list, you can use it to set up automatic authorization for renewal. It sets up a daily chron job to check for renewal. My idea is to set up a chron job a few minutes after that to see if anything changed and make updates if it did. Here's my generic bash script to do so based on the defaults in acme.sh:

#!/bin/sh
cd /
echo -n "" > /tmp/temppem.pem

fullchain="home/[username]/.acme.sh/pihole.example.com_ecc/fullchain.cer"
key="home/[username]/.acme.sh/pihole.example.com_ecc/pihole.example.com.key"
temppem="tmp/temppem.pem"
current="etc/pihole/server.pem"

cat "$fullchain" > "$temppem"
cat "$key" >> "$temppem"

if sudo ! cmp -s "$temppem" "$current"; then
sudo cp "$temppem" "$current"
sudo pihole restartdns
fi

sudo rm "$temppem"

DanSchaper · October 17, 2023, 3:55pm

I'm pretty sure the two options I noted in my previous post will do all of the concatenation for you and eliminate the need to do additional work. You can also run pihole restardns via the --reloadcmd when you use the pkcs options.

Blockhead · October 17, 2023, 4:44pm

Maybe I'm not doing it right, but --to-pkcs12 provided a encrypted file and --to-pkcs8 provided something with only a private key. Neither worked.

DanSchaper · October 17, 2023, 5:02pm

Did you set up a password on the 12 file? I'll have to check but I think you can leave the password off and end up with a plaintext file.

Blockhead · October 17, 2023, 5:07pm

I tried leaving --password off and trying to set --password NO, which probably used "NO" as the pw. Leaving it off then prompts for a password.

DanSchaper · October 21, 2023, 1:01am

Thanks, I'll see if there is an option in the acme code.