If you are trying to use pihole as a DNS-over-TLS endpoint, here is how I did it, in the lightest weight way possible. Using stunnel. Why stunnel? Because it is the simplest, lightest weight solution that purely acts as a SSL/TLS termination layer and from there on it is just a TCP proxy. That means it is much more lightweight than a full blown web server like nginx which is commonly used for this.
stunnel terminates incoming TLS connection, and forwards TCP to FTL, presumably running on localhost:53. You can then point your various devices at it (e.g. Android 9+ supports DoT as "private DNS" under advanced settings.
# cat /etc/stunnel/dot.conf
pid = /var/run/stunnel-dot.pid
[dot]
accept = 853
sslVersion = TLSv1.2
connect = 127.0.0.1:53
cert = /etc/letsencrypt/live/pihole.my.domain/fullchain.pem
key = /etc/letsencrypt/live/pihole.my.domain/privkey.pem
CAfile = /etc/pki/tls/certs/ca-bundle.crt
CApath = /etc/pki/tls/certs