Would it be possible to use mkcert to create a certificate for pi.hole instead of needing a domain like in this guide? I don't know if this is the correct category.
I dont know mkcert.
I use similar as below to create self signed SAN certs:
http://apetec.com/support/GenerateSAN-CSR.htm
That way you can put all sorts of aliased domains (Subject Alternative Name) in the cert.
Even pi.hole can be an alias(SAN) in the cert.
Here's the link for mkcert. It doesn't create self-signed certificates. It uses a local CA instead. https://github.com/FiloSottile/mkcert
That link says "locally-trusted development certificates".
Thats the same as a self signed cert as your own CA is signing the CSR certs and not a browser trusted CA such as for example LetsEncrypt.
That link of mine also generates a CA key.
EDIT:
If I can understand, and not too complicated, I like to be in control over my generated certs and not depending on a tool that I dont know what its doing without inspecting all the code.
Ok. How do I add the SSL certificate then?
After the section "Self-sign and create the certificate: " from my link, you should have a CA san_domain_com.key file and a signed cert named san_domain_com.crt.
Do mind though I see an error/space missing in below command from that link:
openssl x509 -req -days 3650 -in san_domain_com.csr -signkey san_domain_com.key
-out san_domain_com.crt-extensions v3_req -extfile openssl.cnf
It should be:
openssl x509 -req -days 3650 -in san_domain_com.csr -signkey san_domain_com.key
-out san_domain_com.crt -extensions v3_req -extfile openssl.cnf
Once you have the .crt and .key files, you can do below to create the .pem file needed for lighttpd:
What should noads.dehakkelaar.nl be?
If have configured the Pi-hole host with a FQDN (any name with at least one dot somewhere) it should/could be:
pi@noads:~ $ hostname -f
noads.dehakkelaar.nl
As an alias(SAN) domain, you could configure pi.hole (is also a FQDN) in the cert.
There are no errors in systemctl status but when I try to access the web interface it won't load. I'm using mkcert for the certificate and replaced noads.dehakkelaar.nl with pi.hole. I also tried adding the rootCA.pem file from mkcert but that didn't work either.
Tail the logs live while running the curl command:
sudo tail -f /var/log/lighttpd/{access,error}.log
Need to go.
Nighty night!
I dont know whats bugging your setup now.
Am not familiar with mkcert.
And you deviate from whats common practice with wanting to have TLS/SSL without a domain name (common name or SAN).
The 301 reply in the logs means lighttpd is redirecting.
The curl command should tell you more about redirecting where to eg:
curl -IvkL https://localhost
curl -IvkL https://[::1]
curl -IvkL http://pi.hole
curl -IvkL https://pi.hole
For above curling to pi.hole to work on the Pi-hole host, nameserver in /etc/resolv.conf needs to point to 127.0.0.1:
pi@noads:~ $ dhcpcd --dumplease eth0
[..]
domain_name_servers='127.0.0.1'
Also below might be useful to inspect the .pem file:
pi@noads:~ $ sudo openssl x509 -in /etc/lighttpd/certs/pi.hole.pem -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
a0:81:de:d1:19:af:11:27
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = pi.hole
Validity
Not Before: Sep 8 20:18:09 2019 GMT
Not After : Sep 5 20:18:09 2029 GMT
Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = pi.hole
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b8:59:49:26:9a:ab:6e:a9:c7:b7:a9:6e:5f:e0:
9c:dc:a2:f8:6a:29:ce:9d:02:ed:85:24:1d:3d:c2:
51:cc:be:0e:11:b8:28:ea:47:ec:b5:d7:d7:b2:2a:
a7:5c:fb:05:3d:99:f6:fc:b3:6f:11:3e:e0:15:47:
fb:46:68:03:c2:ac:72:5b:0d:76:5d:1c:12:e9:1c:
8d:cc:9d:8d:c0:cd:a4:90:91:dc:33:4c:14:a2:05:
86:72:5c:86:42:3c:49:db:08:6d:4e:51:2c:c2:9f:
37:3b:bd:2c:7f:a2:2e:6f:3e:9c:69:fa:98:ab:1e:
c0:d0:f7:6d:9c:80:51:2c:ee:9e:e7:b8:76:89:04:
ff:ef:b4:4e:0b:ba:39:8e:c4:1a:88:be:09:46:d2:
fb:d2:63:47:b1:cc:cc:90:ce:c7:e4:f2:94:64:ce:
41:cd:c3:5a:16:16:00:da:88:4b:5f:21:d4:f2:56:
59:f0:b2:67:13:2a:49:42:77:47:f1:d6:29:bc:d5:
1f:56:89:3c:1c:4c:18:5c:3f:3b:1f:5e:7f:d8:da:
74:e6:e0:ca:a4:20:3a:9f:dd:37:9c:14:9c:4e:3b:
10:8a:a3:c9:44:b3:63:cf:74:0d:b1:62:69:73:f7:
78:22:e6:44:86:7a:ad:99:7f:78:6c:50:29:6f:d0:
79:ef
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
88:e6:b5:35:bd:e0:90:eb:c9:1a:65:2c:15:a5:f4:6a:f4:1e:
37:08:2a:46:31:79:1d:c6:08:50:f3:1d:07:40:89:d5:cb:50:
28:7b:f2:81:c6:4a:a2:a4:a2:c2:4f:09:d7:c6:0f:41:9e:43:
f1:f7:4f:82:88:00:72:e8:0b:9f:00:e7:91:eb:b4:92:1c:07:
29:5a:5c:f2:ed:f5:e4:72:17:a7:c6:d7:9b:66:c7:1c:f1:89:
e7:50:93:0f:98:3d:24:8a:e0:d2:da:b8:13:bf:6f:95:d6:d8:
9f:e5:70:be:3c:61:40:f2:8e:34:c7:84:7b:fd:2a:b9:f1:3c:
6d:ee:e2:c0:94:4c:82:25:5f:90:84:6b:28:d5:cc:e9:ef:6f:
a0:aa:c5:66:8c:0a:bb:a9:2b:83:ef:50:ea:5a:81:24:fb:5c:
1f:ac:a2:10:c7:91:95:bc:9e:b1:2f:9c:cc:a5:ae:e9:5e:4e:
df:bb:16:85:fd:aa:68:ce:d1:f1:9c:a9:63:cf:1b:2a:7e:3a:
73:74:12:bb:01:af:85:65:59:be:50:5f:69:5b:3b:1b:89:cb:
b2:2a:0f:4f:7e:0f:3e:e7:dd:10:3d:fe:31:8e:ff:f4:ea:5d:
cf:7e:1f:be:9c:c4:a2:83:15:77:95:db:77:bc:b7:7d:aa:a2:
7e:42:f4:4e
Important bits from above cert are the Subject CN (common name);
SAN if any (above cert is no SAN cert though);
and the "Validity" period.
Ps. when posting output here, could you copy text instead of screenshots and enclose the code with the </> button before posting here pls?
EDIT: added some
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.