If you are trying to use pihole as a DNS-over-TLS endpoint, here is how I did it, in the lightest weight way possible. Using stunnel. Why stunnel? Because it is the simplest, lightest weight solution that purely acts as a SSL/TLS termination layer and from there on it is just a TCP proxy. That means it is much more lightweight than a full blown web server like nginx which is commonly used for this.
stunnel terminates incoming TLS connection, and forwards TCP to FTL, presumably running on localhost:53. You can then point your various devices at it (e.g. Android 9+ supports DoT as “private DNS” under advanced settings.
# cat /etc/stunnel/dot.conf pid = /var/run/stunnel-dot.pid [dot] accept = 853 sslVersion = TLSv1.2 connect = 127.0.0.1:53 cert = /etc/letsencrypt/live/pihole.my.domain/fullchain.pem key = /etc/letsencrypt/live/pihole.my.domain/privkey.pem CAfile = /etc/pki/tls/certs/ca-bundle.crt CApath = /etc/pki/tls/certs