[Help] [Question] Pihole ssl comodo

Help Community Help
1

I bought an ssl certificate and it came to me with 3 files in one rar.

AAACertificateServices.crt

HSSL.key

mydomain.com.crt

How can I install this ssl certificate in pihole?

I was able to do it in apache2 but I don't understand how it's done in pihole.

apache2

<VirtualHost *:443>

ServerName mydomain.com

<Directory /var/www/html>

allow from all

Options None

Require all granted

SSLEngine on

SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

SSLCertificateFile /etc/apache2/ssl/mydomain.com.crt

SSLCertificateKeyFile /etc/apache2/ssl/HSSL.key

SSLCACertificateFile /etc/apache2/ssl/AAACertificateServices.crt

SSLVerifyClient none

DocumentRoot /var/www/html

I saw this video but I don't understand it, I see that it creates certificates and then puts only 2 files in lighttpd.

I have 3 files and they are not .pem extension.

I have ubuntu 16.04.7 LTS x86_64

Thank you very much.
I don't know if this is the correct area to do this query, excuse my ignorance.
I do not speak english, I am using a translator.

3
4

Following this tutorial:

I have these files:

AAACertificateServices.crt

HSSL-etc.key

midominio.com.crt

SectigoRSADomainValidationSecureServerCA.crt

USERTrustRSAAAACA.crt

In the tutorial I see that it places 3 files:

/etc/letsencrypt/live/pihole.example.com/privkey.pem /etc/letsencrypt/live/pihole.example.com/cert.pem /etc/letsencrypt/live/pihole.example.com/combined.pem

privkey.pem would be HSSL-etc.key

cert.pem would be midominio.com.crt

combined.pem would be AAACertificateServices.crt

Or I'm wrong?

So, just change the extension.

Following this: ssl - How to get .pem file from .key and .crt files? - Stack Overflow

/etc/letsencrypt/live/pihole.example.com/HSSL-etc.pem

/etc/letsencrypt/live/pihole.example.com/midominio.com.pem

/etc/letsencrypt/live/pihole.example.com/AAACertificateServices.pem

So I see it edit: /etc/lighttpd/external.conf

$HTTP["host"] == "pihole.example.com" {

Ensure the Pi-hole Block Page knows that this is not a blocked domain

setenv.add-environment = ("fqdn" => "true")

Enable the SSL engine with a LE cert, only for this specific host

$SERVER["socket"] == ":443" {

ssl.engine = "enable"

ssl.pemfile = "/etc/letsencrypt/live/pihole.example.com/combined.pem"

ssl.ca-file = "/etc/letsencrypt/live/pihole.example.com/fullchain.pem"

ssl.honor-cipher-order = "enable"

ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"

ssl.use-sslv2 = "disable"

ssl.use-sslv3 = "disable"

}

Redirect HTTP to HTTPS

$HTTP["scheme"] == "http" {

$HTTP["host"] =~ ".*" {

url.redirect = (".*" => "https://%0$0")

}

}

}

So what I understand is this:

$HTTP["host"] == "pihole.example.com" {

Ensure the Pi-hole Block Page knows that this is not a blocked domain

setenv.add-environment = ("fqdn" => "true")

Enable the SSL engine with a LE cert, only for this specific host

$SERVER["socket"] == ":443" {

ssl.engine = "enable"

ssl.pemfile = "/etc/letsencrypt/live/pihole.example.com/AAACertificateServices.pem"

ssl.ca-file = "/etc/letsencrypt/live/pihole.example.com/fullchain.pem"

ssl.honor-cipher-order = "enable"

ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"

ssl.use-sslv2 = "disable"

ssl.use-sslv3 = "disable"

}

Redirect HTTP to HTTPS

$HTTP["scheme"] == "http" {

$HTTP["host"] =~ ".*" {

url.redirect = (".*" => "https://%0$0")

}

}

}

Then it changed:

ssl.pemfile = "/etc/letsencrypt/live/pihole.example.com/AAACertificateServices.pem"

ssl.ca-file = "/etc/letsencrypt/live/pihole.example.com/fullchain.pem"

And this file? fullchain.pem

Then I change all pihole.example.com to my domain example.com

Then:

sudo service lighttpd restart

And it does not work.

What am I doing wrong?

5

https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

I think my problem is in the file: combined.pem

I see there are 3 types of combined.pem
Which would be correct?

And what would this file be?
fullchain.pem
It never uploads it to that folder.

6

I went to sectigo.com and I saw this:

-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: SectigoRSA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: USERTrustRSACertificationAuthorityCARoot.crt)
-----END CERTIFICATE-----

Then it would be like this:

HSSL.key
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----

domain.com.crt

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----

SectigoRSADomainValidationSecureServerCA.crt

-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: SectigoRSA.crt)
-----END CERTIFICATE-----

USERTrustRSAAAACA.crt

-----BEGIN CERTIFICATE-----
(Your Root certificate: USERTrustRSACertificationAuthorityCARoot.crt)
-----END CERTIFICATE-----

I am right?
This would be the combined.pem file that I see in this tutorial:

If I'm wrong, correct me.
Thanks, I think I'm making progress.

7

#sudo service lighttpd restart

#sudo service lighttpd status

● lighttpd.service - Lighttpd Daemon
Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since vie 2020-09-18 18:22:33 -03; 8s ago
Process: 83344 ExecStart=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf (code=exited, status=255)
Process: 83333 ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS)
Main PID: 83344 (code=exited, status=255)

sep 18 18:22:33 ubuntu systemd[1]: Starting Lighttpd Daemon...
sep 18 18:22:33 ubuntu lighttpd[83333]: Syntax OK
sep 18 18:22:33 ubuntu systemd[1]: Started Lighttpd Daemon.
sep 18 18:22:33 ubuntu lighttpd[83344]: 2020-09-18 18:22:33: (network.c.734) SSL: error:02001002:system library:fopen:No such file or directory /etc/letsencrypt/live/example.com/fullchain.pem
sep 18 18:22:33 ubuntu lighttpd[83344]: 2020-09-18 18:22:33: (network.c.870) SSL: error:20074002:BIO routines:FILE_CTRL:system lib /etc/letsencrypt/live/example.com/fullchain.pem
sep 18 18:22:33 ubuntu systemd[1]: lighttpd.service: Main process exited, code=exited, status=255/n/a
sep 18 18:22:33 ubuntu systemd[1]: lighttpd.service: Unit entered failed state.
sep 18 18:22:33 ubuntu systemd[1]: lighttpd.service: Failed with result 'exit-code'.

Apparently the bug is in fullchain.pem
What would this .pem look like?

8

I made it.
Thank you very much.

image
image930×596 54.8 KB

9

I leave the solution in case someone needs it:

-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: SectigoRSA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: USERTrustRSACertificationAuthorityCARoot.crt)
-----END CERTIFICATE-----

1 .key

2 domain.com.crt

3 SectigoRSADomainValidationSecureServerCA.crt

4 USERTrustRSAAAACA.crt

Open the 4 files and paste the 4 texts in a single file and place it as a .pem extension

This would be the combined.pem

Then we change the extension to the AAACertificateServices.crt file for .pem

This would be the fullchain.pem

We already have the two .pem files

We create the folder /etc/letsencrypt/live/pihole.example.com/

pihole.example.com would be the name of our domain.

With permissions rw-r--r-- (0644)

We copy the .pem files that we create in this folder.

sudo chown www-data -R /etc/letsencrypt/live

We open /etc/lighttpd/external.conf

image
image1025×690 61.2 KB

pihole.example.com would be the name of our domain.

sudo service lighttpd restart

image
image654×516 76.1 KB

If I did something wrong, they correct me, thank you.

10

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.