Pihole FQDN with Caddy reverse proxy SSL issues

Smoochii · February 24, 2025, 7:05pm

Please follow the below template, it will help us to help you!

I have been using Pihole for about a year now and recently I'm trying to finally move everything to Caddy. So far I have everything except Pihole moved, I still access it through the IP address. After upgrading to V6, I now have to use port 8080 (although I don't have anything running on 80 except for pihole itself since the LXC is dedicated to it, but that doesn't really matter.), so I figured now would be a good time to get a FQDN for it.

I've tried adding both an A record and a CNAME to point internal-pihole.smoochii.dev -> caddy.smoochii.dev (and caddy's internal IP).

I set up Caddy with the following (I'm using Cloudflare for certs):

internal-pihole.smoochii.dev {
    redir / /admin{uri}
    reverse_proxy https://192.168.10.117
    import cloudflare
}

When I go to the domain I just get an error: "This site can't provide a secure connection". Do I need to remove the self-signed cert that is supplied with pihole?

Trying to find the debug token I actually did see this in the error logs SSL/TLS certificate /etc/pihole/tls.pem does not match domain internal-pihole.smoochii.dev!

Debug Token:

https://tricorder.pi-hole.net/IaP0Ls06/

Ladrien · February 24, 2025, 7:15pm

Trying to find the debug token I actually did see this in the error logs SSL/TLS certificate /etc/pihole/tls.pem does not match domain internal-pihole.smoochii.dev!

That should be all you need to know - check the certificate for the correct Subject and Subject Alternative Name. If your server is named internal-pihole.smoochii.dev then your Subject and Subject Alternative Name on the certificate should match that.

Smoochii · February 24, 2025, 7:18pm

Sorry, this is on the pihole generated certificate? Am I able to use the LE certificate that is made by caddy?

Ladrien · February 24, 2025, 7:23pm

I do not use caddy, but it seems that you are pointing caddy to the https port on pihole, and it's got two certificates overlapping with each other.

Try changing reverse_proxy https://192.168.10.117 to reverse_proxy http://192.168.10.117 assuming that IP is your pihole, and see how that works for you.

Please note that this will terminate SSL encryption at caddy, and send over plain http through your LAN.

Smoochii · February 24, 2025, 7:26pm

Yes, I've tried both HTTP and HTTPS and they both give me the same SSL certificate error.

Smoochii · February 24, 2025, 7:28pm

Wait, I may be a liar. I swear I tried this before but now it's working

Ladrien · February 24, 2025, 7:34pm

Yes, I've tried both HTTP and HTTPS and they both give me the same SSL certificate error.

On another computer besides the pihole, what is the output of nslookup internal-pihole.smoochii.dev? To keep things simple, please keep the caddy configuration pointing to pihole's http port.

Are you able to provide more information on the certificate error? Generally, if you click the lock in the top left of the browser it may show additional information about the certificate.

rdwebdesign · February 25, 2025, 2:51am

Your debug log shows Pi-hole is using port 8080 for http and 443 for https.

Can you access using http://192.168.10.117:8080/admin and https://192.168.10.117/admin?

If you want to revert to port 80, use:

pihole-FTL --config webserver.port '80o,[::]:80o,443so,[::]:443so'

0X0 · February 25, 2025, 4:55pm

Awesome, thanks! Changed both ports and Caddy, my reverse proxy with Tailscale, is happy about the changes! Now lighttpd can be removed entirely, after many, many years of usage

system · March 18, 2025, 4:55pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.