TLS connection to pihole v6 works with my own certificate as described in the documentation section.
Actual Behaviour:
TLS certifcate placed under /etc/pihole as pihole.pem is not used. There is no TLS connection to pihole v6.
What happened:
My TLS connection worked with pihole v5 as it ran with the lighttpd server. So as required I copied that PEM-format file to /etc/pihole where it is readable and writable to the pihole user.
It contains the following entries: -----BEGIN PRIVATE KEY-----
Private RSA key part of pihole -----END PRIVATE KEY----- -----BEGIN CERTIFICATE-----
Public RSA key part of pihole -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
Public CA key part of certificate chain -----END CERTIFICATE-----
I did place the file in /etc/pihole as pihole.pem and also tried the tls.pem file. I did set the parameter as shown directly below for each file name (this one shows the second attempt): [webserver.tls] cert = "/etc/pihole/tls.pem"
After setting the config file I restarted the pihole each time.
But it never uses the certificate and there is no TLS connection.
I also tried to remove the CA section from the pem file. But that didn't work either.
I have this exact same issue. Nobody seems to know how to resolve it but I have seen a few posts that look similar.
Like you I moved my old pihole .pem file over and pointed version 6 to it... then the web UI stopped loading and I had to revert it back to the default tls.pem and web UI comes right up again.
I tried generating a new cert with EC like the tls.pem and that didnt work either, its like it has a problem with the cert/pem file I am pointing it to but its a standard x.509 certificate file which worked on the previous Pi-Hole installs.
hostname match on new cert
path is simply /etc/pihole/mynewcert.pem
permissions are set the same as the default tls.pem
This should be simple and just work but I am at a loss, did you ever get yours to work?
I'm running Pi-Hole on a Ubunu bare and AdGuardhome on a RPi Zero. I generated a cert. from LE with my domain for the AGH. With v6.0 I decided to use the same cert. by copy the 2 pem files (fullchain and privkey) to Ubuntu running Pi-Hole v6.0. After copying the files, combine them into a single PEM file (server.pem), then move it to /etc/pihole
Edit the Pi-hole configuration to use the new SSL certificate - sudo nano /etc/pihole/pihole.toml
Changed - domain = "yourdomain.net" and cert = "/etc/pihole/server.pem"
Restart Pi-Hole
I can securely access both AGH (443) and Pi-Hole (8443) using the same domain name using diff. port
Yep! those are the steps I am following (using an internally generated cert from my own internal pki CA). Once I got it to half way work (it somehow for some reason took the PEM i pointed it to, and then generated it's own
2025-02-20 19:53:14.897 UTC [25318M] INFO: Created SSL/TLS certificate for pidns2.orth at /etc/pihole/ortho.pem
2025-02-20 19:53:14.897 UTC [25318M] INFO: Reading certificate from /etc/pihole/ortho.pem ...
2025-02-20 19:53:14.897 UTC [25318M] INFO: Using SSL/TLS certificate file /etc/pihole/ortho.pem
The heck? "created certificate"? thats the one I made and pointed it to its like it recreated it?! and then it also created a ortho_ca.crt and ortho.crt in there... this is all well and good thanks for doing that Pi-Hole... but.... I still cannot get valid HTTPS with YOUR CA,
I am at a loss, its not behaving like anything else that uses HTTPS certs
When I try and use my cert instead of the default tls.pem the log file just says this:
Yea....that is strange. I had read a post earlier yesterday with someone having issue with using own cert. The developer was able to resolve by checking his crypto key or something like that. Try looking at this post he is getting the same error SSL Cert - General / Beta 6.0 - Pi-hole Userspace
I saw that one too, I am wondering if there is a similar issue with mine. I am using a PaloAlto firewall to generate the certs and possibly it does something a bit different (it does not have things like org unit, address, location, etc in the certs)
in that post "Probably a certificate error. Maybe going back in and checking the concatenation. The key should be at the end of the file." and solution was
Edit: Got it working. It was because the cat command didn't work when copying over the private key. Was getting the error of -bash: /etc/pihole/server.pem: Permission denied
These 2 commands worked for me on Ubuntu 24.04:
sudo cp /etc/letsencrypt/live/pihole.domain.com/fullchain.pem /etc/pihole/server.pem
sudo cat /etc/letsencrypt/live/pihole.domain.com/privkey.pem | sudo tee -a /etc/pi
Saw that one too, I have tried the key and the top and at the bottom, it does not seem to matter for all other things but I am trying anything at this point. it did not make any differences.
Right now I have just disabled 443 and I will try to troubleshoot it later if i can think of anything new to try.
sidenote: After disabling 443 in the config the web UI is like 100x faster and does not lag anymore, not sure why having it open and bind to 443 would cause so much slowness but I am also seeing others reporting this as well with 443 so i guess one positive spin is that its snappy and fast for me now
I did get it working now. I recreated the cert for fun the same way as I created the old one. I use openssl for that as I created my CA with that one. Then I do this: cat pihole_priv.pem pihole_pub.pem ca_pub.pem > /etc/pihole/pihole.pem
Then restarted the pihole service once more. Then accessed the web page again. And this time it worked. Don't ask me what was different this time. Very strange, because lightttpd worked with the old certificate as well.
wow just for fun i did EXACTLY what you did and even used the same name for each of the pems and still get the same error "unable to initialize SSL context" back to the drawing board
Then I emptied the client browser cache and loaded up the pi-hole local URL. If you don't change the piholePTR, pihole will report an error in the logs.
I have tried key and cert then i tried key cert and CA, then i tried importing CA into server's keystore and then key+cert, no luck. Key HAS to be decrypted right? because there is no password entry or prompt for the key in Pi-Hole anywhere
I even combed thru the pem file to make sure there were no stray lines/spaces/carriage returns/etc
I was trying to find out why I was using the .fullchain vs the .crt - and I couldn't find the link. And most of the other resources looked like they were using .key + .crt = combined.pem .
