Hello all, after spending a day and a half on this, I finally decided to create an account and ask of your expertise.
I'm trying to enable HTTPS/SSL for the Pi-hole admin GUI. It's almost certainly not necessary, but it is the only service I'm hosting on my HomeLab that isn't using HTTPS. Before editing the external.conf file to enable SSL, I had no problems accessing the Pi-hole GUI. After enabling SSL, I'm unable to load the admin dashboard.
My local domain is mehrtens-lab.lan. When using HTTP, the Pi-hole dashboard is reachable at:
-
http://pihole.mehrtens-lab.lan/admin, -
http://192.168.0.5/admin, or -
http://pi.hole/admin.
This is accomplished by adding
192.168.0.5 pihole.mehrtens-lab.lan pihole
to the /etc/hosts file on the Pi-hole Ubuntu VM.
To enable SSL, I generally followed this guide. Since this is a local, non-top-level domain, I'm pretty sure I can't use Let's Encrypt or a similar service; so, I'm using mkcert to generate self-signed certificates and create my own Certificate Authority (CA).
Here's my process. On my personal MacBook, I run:
mkcert -installmkcert 192.168.0.5 "pihole.mehrtens-lab.lan"cat 192.168.0.5+1-key.pem 192.168.0.5+1.pem | tee 192.168.0.5+1-combined.pem
I then copy the 192.168.0.5+1-combined.pem file into /etc/ssl/private. I set the permission of the .pem file according to the lighttpd documentation (see here) with the following commands:
chown root:root /etc/ssl/private/192.168.0.5+1-combined.pemchmod 400 /etc/ssl/private/192.168.0.5+1-combined.pem
Then, I added this text to the /etc/lighttpd/external.conf file:
# Load openssl
server.modules += ( "mod_openssl" )
$HTTP["host"] == "pihole.mehrtens-lab.lan" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with self-signed certificate, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/private/192.168.0.5+1-combined.pem"
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-ServerPreference")
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
Finally, I run sudo systemctl restart lighttpd.service. When I open https://pihole.mehtens-lab.lan/admin on my development laptop, I'm greeted by a blank, white screen. It does, however, load the Pi-hole icon on the tab and the HTTP redirection works.
I have tried, among many other things that I have likely forgotten:
- including or excluding the
$HTTP["host"] == "pihole.mehrtens-lab.lan" { ... }line inexternal.conf, - creating the
mkcertcertificates from the Pi-hole VM, - creating certificate chains according to the
lighttpddocumentation, - specifying the private key in
external.confwithssl.privkey, - running
lighttpdin the foreground (there are no errors or warnings), - putting the
.pemfiles in different directories than/etc/ssl/certsor/etc/ssl/private, and - generating a simple certificate with OpenSSL (didn't really give this one too much effort since I want to use
mkcert).
I'm running Pi-hole version 5.14.2 on an Ubuntu Server 22.10 virtual machine (this is running on a different machine than my development laptop). lighttpd is on version 1.4.65 and mkcert is version 1.4.4. My debug token is below:
https://tricorder.pi-hole.net/uOF8ILxy/
Any assistance troubleshooting would be greatly appreciated! I'm more annoyed that I can't figure this out than anything else at this point...
Cheers,
Matthew Mehrtens
EDIT: Upon further research, I am lead to believe my computer isn't even correctly locating the Pi-hole lighttpd web server. Safari didn't give me helpful error messages, but on Opera GX, it showed an ERR_CONNECTION_TIMED_OUT. I'm not technically or "network-ically" savvy enough to deduce what this means... I can still ping/SSH pihole.mehrtens-lab.lan or pi.hole.