Include ca certificate in self signed

Meierschlumpf · May 3, 2025, 11:06am

Hey, it would be great, if the ca certificate could be included as issuer in the self signed certificate that is created. Because right now apps like Homarr won't be able to fetch the ca certificate from the pi-hole instance, which leads to a lot of users having issues with adding Pi-hole to the trust store of Homarr. If the certificate would be included in the self signed one, we could fetch the certificate and add the trust of the ca directly, if the user wants so.

DL6ER · May 21, 2025, 12:58pm

Maybe I do not understand what you are asking for here. When you look into /etc/pihole/tls.pem, you'll see it contains the certificate as well as the private key. What would be needed in addition? I have never heard about Homarr before and I hope you understand that I don't really have the time ti setup such an instance for myself for checking this.

That's why I'm asking what you'd expect to see in this file in addition to what is in there now.

Ladrien · May 21, 2025, 5:28pm

It's a self-signed certificate, meaning there is no Certification Authority for it. The certificate is it's own authority.

If you need more flexibility with your certificates, I suggest creating your own certification authority.

Meierschlumpf · May 21, 2025, 7:11pm

Hey, thank you for your response.
Homarr is one of those dashboard apps people use to have a single place to go to all their self hosted software and has an integration for Pi-Hole. The "problem" is not, that I as a single user am unable to get my certificate and rather, that our users need to add the certificate to Homarr so the Pi-Hole instance is trusted by our app. But because their is a tls.crt and a tls_ca.crt, Homarr is unable to fetch the certificate through a simple request as it only returns the tls.crt. So there is no possibility to trust the tls_ca.crt without the user manually retrieving it from the file system. That said, I completely understand if this feature will not be worked on and it was just an idea to make it possible for apps that integrate Pi-Hole to simplify the process of trusting the ssl certificate.

Thank you for your work on this software, appreciate it

Ladrien · May 21, 2025, 9:10pm

I see. My apologies, it does seem there are two certificates that pi-hole uses, which would indicate a Certification Authority.

root@****:/etc/pihole# openssl verify tls.crt
CN = pi.hole
error 20 at 0 depth lookup: unable to get local issuer certificate 
error tls.crt: verification failed`
root@*****:/etc/pihole# openssl verify tls_ca.crt
CN = pi.hole, O = Pi-hole, C = DE
error 18 at 0 depth lookup: self-signed certificate
error tls_ca.crt: verification failed

Failing validation for the CA certificate is normal since it's self-signed. The problem I believe @Meierschlumpf is referring to is this: error 20 at 0 depth lookup: unable to get local issuer certificate when trying to validate the self-signed certificate. Essentially there is no way to obtain the Certification Authority's certificate to validate the chain.

There are realistically two options to take:

Adjust the certificate generation to only generate the self-signed certificate; without the tls_ca.crt
Add the Authority Information Access (AIA) extension to the self signed certificate, and publish the CA's public key to the pi-hole's web server. When clients connect to pi.hole, they will download the CA's certificate at the same time.

It looks like mbedtls supports extensions via this function.

Either option looks feasible, but for simplicity's sake I think the first option might be better here.

DL6ER · May 22, 2025, 9:27am

The tls_ca.crt is just an extra file. You can grab this file and add it as trusted to your browser directly so the browser can validate the certificate, cfm. TLS/SSL - Pi-hole documentation
Hence, removing this file seems wrong.

Even when we add this AIA extension and browsers manage to download the CA ... why should they trust it? Doing this by default seems wrong and a super easy attack vector for servers hosted by malicious parties. Note that the CA generated by Pi-hole for you locally on your machine is obviously not related to any other upstream CA and, hence, not automatically trustworthy.

Ladrien · May 22, 2025, 6:09pm

Removing the file would definitely break some things for people, I was suggesting a rewrite of the mbed functions to only create the one certificate, without a CA. This is the most elegant solution to this self-signed problem, IMO.

If a malicious party were to host a pi-hole server, there's nothing to stop them from adding their own certificate with an AIA extension regardless. The only thing that AIA extensions provide is forwarding the full certificate chain to computers that connect to the pi-hole webUI; instead of the broken chain with only the self-signed certificate. If the user/computer connecting wants to write a program to automatically trust the CA from pi-hole, that's on them.

AIA extensions are ubiquitous, even the Let's Encrypt certificate for this discourse site has one; although I believe it's a bit too complex for something like pi-hole. There is another option that I did not mention, which would be to bundle the CA certificate in with the tls.crt. I am not sure how feasible this would be with mbedtls.

Ladrien · May 23, 2025, 7:35pm

@DL6ER I've just tested, all you'd have to do is append the CA cert to the tls.pem file

root@****:/etc/pihole# cat tls_ca.crt >> tls.pem

DanSchaper · May 23, 2025, 8:45pm

That will take an enormous amount of convincing to get me to do that.

Ladrien · May 23, 2025, 9:03pm

What're your concerns? It's not the CA's private key that's being shown, merely the public key to prove the chain is valid.

As a side note - looking over the certificate generation code, the CA's private key is not saved anywhere - meaning you can't renew the webserver's certificate unless you regenerate the CA

github.com/pi-hole/FTL

src/webserver/x509.c

a3313229c


      
          		printf("mbedtls_x509write_crt_set_subject_alternative_name returned %d\n", ret);
          
          	// Export certificate in PEM format
          	if((ret = mbedtls_x509write_crt_pem(&server_cert, cert_buffer, sizeof(cert_buffer),
          	                                    mbedtls_ctr_drbg_random, &ctr_drbg)) != 0)
          	{
          		printf("ERROR: mbedtls_x509write_crt_pem returned %d\n", ret);
          		return false;
          	}
          
          	// Create file with CA certificate only
          	write_to_file(certfile, "CA certificate", "_ca.crt", (char*)ca_buffer, NULL);
          
          	// Create file with server certificate only
          	write_to_file(certfile, "server certificate", ".crt", (char*)cert_buffer, NULL);
          
          	// Write server's private key and certificate to file
          	write_to_file(certfile, "server key + certificate", NULL, (char*)cert_buffer, (char*)key_buffer);
          
          	// Free resources
          	mbedtls_x509write_crt_free(&ca_cert);

DanSchaper · May 23, 2025, 9:07pm

I'm not going to tie running Pi-hole on a local network to anything external for general use. I'm not going to publicly avow that a CA should be trusted. I'm not going to require that Pi-hole contain any kind of call-home code to operate.

Ladrien · May 23, 2025, 9:16pm

Those are valid concerns. In hindsight, adding an AIA extension was a bad recommendation for a project like this.

I've offered two other recommendations to fix the certificate chain, however. There's no calling home or externally, all it does is complete the certificate chain, as it should.

Adding the CA's public key to pi-hole's webserver certificate does NOT create a security hole as it stands currently. As per the code above, you never save the CA's private key. Even if pi-hole's CA file were compromised, there's nothing that anyone can do with it, as there's no private key to issue any further certificates with.

Edit: I'll make a pull request for it when I get home.

Ladrien · May 24, 2025, 1:56am

github.com/pi-hole/FTL

Adjust write_to_file function to include the CA certificate

development ← nathansmeal:development

opened 01:56AM - 24 May 25 UTC

nathansmeal

+16 -4

Adjust write_to_file to include the CA certificate if provided ## Thank you f…or your contribution to the Pi-hole Community! Please read the comments below to help us consider your Pull Request. We are all volunteers and completing the process outlined will help us review your commits quicker. **Please make sure you** 1. Base your code and PRs against the repositories developmental branch. 2. [Sign Off](https://docs.pi-hole.net/guides/github/how-to-signoff/) all commits as we enforce the [DCO](https://docs.pi-hole.net/guides/github/dco/) for all contributions 3. [Sign](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits) all your commits as they must have verified signatures 4. File a pull request for any change that requires changes to [our documentation](https://docs.pi-hole.net/) at our [documentation repo](https://github.com/pi-hole/docs) --- **What does this PR aim to accomplish?:** Fixes the broken chain in pi-holes web server certificate by appending the CA into the certificate file **How does this PR accomplish the above?:** Adjusts the write_to_file function to include the CA certificate, and also appends the certificate into the webserver's certificate file to complete the chain --- **By submitting this pull request, I confirm the following:** 1. I have read and understood the [contributors guide](https://docs.pi-hole.net/guides/github/contributing/), as well as this entire template. I understand which branch to base my commits and Pull Requests against. 2. I have commented my proposed changes within the code and I have tested my changes. 3. I am willing to help maintain this change if there are issues with it later. 4. It is compatible with the [EUPL 1.2 license](https://opensource.org/licenses/EUPL-1.1) 5. I have squashed any insignificant commits. ([`git rebase`](http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html)) 6. I have checked that another pull request for this purpose does not exist. 7. I have considered, and confirmed that this submission will be valuable to others. 8. I accept that this submission may not be used, and the pull request closed at the will of the maintainer. 9. I give this submission freely, and claim no ownership to its content. --- - [ x ] I have read the above and my PR is ready for review. *Check this box to confirm*

DL6ER · May 24, 2025, 6:58am

Thank you. It was a clearly forgotten when designing the self-signed certificate generation code. Already merged into development and will be part of the next Pi-hole FTL release.