Questions about using Let's Encrypt" to enable HTTPS for the Pi-hole Web Interface

Expected Behaviour:

I am trying to learn how to use "Let's Encrypt" to enable HTTPS for the Pi-hole Web Interface , as mentioned here

Actual Behaviour:

No idea how to proceed.

2 questions:

I have been told that in order to use "Let's Encrypt" to secure Pi-hole , all I need is a doman name and a working Pi-hole.

My first question is can I use free domain names from any of these websites?

.tk , .ml, .ga, .cf, and .gq from Free and paid domains

www.wordpress.com --- subdomain , e.g. encrypting.wordpress.com
www.weebly.com --- subdomain , e.g. encrypting.weebly.com
www.wix.com --- subdomain , e.g. encrypting.wix.com

Another question is after I have a free domain name , do I host it using Raspberry Pi by making Raspberry Pi my Raspberry Pi Web Server / hosting provider, as shown in Build your own Raspberry Pi Web Server - Pi My Life Up
?

Please advise.

Thanks a million.

To use Letsencrypt you just need to have access to your DNS records for your domain. Most if not all hosting providers will let you add DNS records to your domain through them. I'm not sure about those free providers, but if they allow you to set DNS then just do the following:

Assuming your domain is "example.com" and you want to request a cert for "encrypting.example.com":

  • Create a DNS record with "A" type and set the value to the public IP of the raspberry pi (probably your home public IP). Note that port 80 and 443 need to be forwarded to the pi's internal (private IP address) on your router (usually something like "NAT" or "inbound NAT"), if your pi is behind a router.
  • Follow the instructions from Letsencrypt using the certbot tool: Certbot - Debianstretch Other

Also, my specific instructions in that thread (in the link you posted) are for the lighttpd configuration, if you have multiple hostnames in the certificate (using SAN -- Subject Alternate Name fields). In my specific case I used my own internal CA (not Letsencrypt) to generate the certificate, since it's just for a local (non-internet) DNS name.

I use https://github.com/Neilpang/acme.sh whit CloudFlare DNS, you dont need to open any ports,

acme.sh --issue -d my.com -d '*.my.com' --dns dns_cf

Done :grin:

Hi elie195,

Thank you very much for your prompt reply.

I have a couple more questions:

You said
"Create a DNS record with “A” type and set the value to the public IP of the raspberry pi"

I assume that means whenever there is a change in my home public IP (e.g. due to a change of my internet service provider (ISP)) , I also have to change the "value to the public IP of the raspberry pi" in my domain name account again ?

Am I correct?

i.e.

For example , let's say my home public IP is , according to https://whatismyipaddress.com/ , 103.210.75.11

Whenever I change my ISP , I need to go to my domain name account DNS record “A” type and set the value to the new public IP of the raspberry pi , right ?

Is that the only change required?

Or I also have to run certbot again and go through the installation of Let's Encrypt again whenever there is a change in my home public IP ?

Please advise.

Thanks a million.

Yes, that is mostly correct. You'll need to update the DNS record anytime your public IP changes. HOWEVER, there is an alternative that requires only requires you to update the IP every 2-3 months instead, and this alternative happens to be more secure, so I would recommend it.

My alternative suggestion is to only have your DNS record point to your public IP while you're requesting the certificate from Letsencrypt (running certbot). Once you have obtained the certificate (and configured pihole to use it, as described in the first post in the other thread), I would suggest changing the DNS record to point to the pihole's local IP (192.168.1.50 for example) instead of your public IP. This way, the pihole has a valid/trusted certificate, BUT it is only accessible on your local LAN, and not accessible from the internet, which makes more sense security-wise.

Then you'll just need to update the DNS to your public IP every 2-3 months, essentially whenever you need to renew the Letsencrypt cert (by re-running certbot). Then of course once you've renewed the cert, you can change the DNS back to the private IP of the pihole.

If you want to keep your pihole accessible from the internet for some reason (and therefore keep using the public IP in the DNS record), you can check out some dynamic DNS providers, some of which can automatically detect that your public IP changed and automatically update the DNS record with your new IP. No-IP Free - Dynamic DNS - Create a Free DDNS Account Now - No-IP is one such provider. Again though, I don't recommend permanently setting the DNS to your public IP for security reasons, unless you have a good reason for doing so.

Why do it manal? When you can 100% Automatic.

Hi Tntdruid ,

Thank you very much for your replies .

Sorry I failed to acknowlege your help earlier.

I am still working my work through the initial stages of getting a free domain name and making adjustments to it.

I haven't gotten to the part where the use of https://github.com/Neilpang/acme.sh has come into play yet.

Some thoughts I do have now about this https://github.com/Neilpang/acme.sh that you recommended.
--- >

Since I am not very good with using https://github.com yet , I wonder how safe it is to use any script or software from https://github.com ?

I have briefly looked through the installation instructions at https://github.com/Neilpang/acme.sh .

It appears a bit daunting to me with the different Linux commands for different scenarios.

Righ now I only have a simple working Pi-hole in a Raspberry Pi connected to my router and using Cloudflaire as the upstream DNS provider.

So I need to take a better look to see which part of it applies to me.

Thank you very much for pointing me to this acme.sh script.

Just to add my 2 cents here:

  1. Your question about Github.com and scripts being legit/safe is valid and a good one. Most people will recommend that you read through scripts from the internet to ensure you know what it is doing. But, this script is ok and you shouldn't have to worry.

  2. As everyone else has stated, you will need to own the domain name you want to use for your home. So, if you want to use pihole.bill2.org then you will need to make sure you own bill2.org. Couple of ways of doing that.

  3. Acme is confusing, not going to lie, because it just assumes you understand what it does. I had a bit of a problem wrapping my head around it. There are a lot of posts out there but I found these useful How to issue a Let's Encrypt Wildcard SSL certificate with Acme.sh - VirtuBox
    Using acme.sh to generate LetsEncrypt certificates | by Adoni Pavlakis | Medium

  4. You will need to look in acme.sh/dnsapi at master · acmesh-official/acme.sh · GitHub for your DNS Provider and just make sure you're using this in your script.

5 - now, once you have you use acme.sh to issue your keys, the way I do it is export them:
acme.sh --install-cert -d *.bill2.org --key-file ~/bill2key.pem --certfile ~/bill2certfile/pem --full-certchain ~/bill2ca.pem >>> this will create files.

To add to PiHole -> there's a great FAQ in the PiHole discourse section:

Now, personally? Do you NEED TLS if the PiHole web interface is ONLY accessed when you're at home? Prob not. BUT, it's not a bad idea if you're super concerned about security AND (in my opinion) it's fun!

Hope I helped in clearing up some uncertainties!

1 Like

Hi eztheog ,

Thank you very much for adding to this thread.

It has definitely cleared up some of the questions I had.

I definitely need all the help I can get because I am still reading up on A record and port forwarding 80 and 443 etc.

This project will help me understand Certificate Authority and domain name and DNS management and port forwarding and some other basic networking concepts.

I plan to write a step by step tutorial on this topic for dummies like me once I am successful with this project.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.