Self-Signed SSL Certificate - How/Where?

Blockhead · October 11, 2023, 7:48pm

I haven't been able to access https://pi.hole/admin. It gives a timeout error. http://pi.hole/admin works fine

I did notice that the announcement indicated:

"HTTPS support baked into FTL

You can, of course, use a reverse proxy to handle HTTPS for your web interface, but FTL can also handle HTTPS connections. You can provide your own certificates, but FTL will also generate a self signed one if none is provided."

I've checked pihole.toml, and my domain is set to "pi.hole", and port is set to "80,[::]:80,443s,[::]:443s"

Not sure where to find the SSL certificates with the embedded webserver, or how to provide my own certificate. Are there instructions for that yet? I'm only seeing for instructions for lighttpd.

yubiuser · October 11, 2023, 7:49pm

This should be 80,[::]:80,443s,[::]:443s
(see the additional s)

DL6ER · October 11, 2023, 7:51pm

The default should be correct:

github.com/pi-hole/FTL

src/config/config.c

80d4a0efe


      
          	conf->webserver.acl.h = "Webserver access control list (ACL) allowing for restrictions to be put on the list of IP addresses which have access to the web server. The ACL is a comma separated list of IP subnets, where each subnet is prepended by either a - or a + sign. A plus sign means allow, where a minus sign means deny. If a subnet mask is omitted, such as -1.2.3.4, this means to deny only that single IP address. If this value is not set (empty string), all accesses are allowed. Otherwise, the default setting is to deny all accesses. On each request the full list is traversed, and the last (!) match wins. IPv6 addresses may be specified in CIDR-form [a:b::c]/64.\n\n Example 1: acl = \"+127.0.0.1,+[::1]\"\n ---> deny all access, except from 127.0.0.1 and ::1,\n Example 2: acl = \"+192.168.0.0/16\"\n ---> deny all accesses, except from the 192.168.0.0/16 subnet,\n Example 3: acl = \"+[::]/0\" ---> allow only IPv6 access.";
          	conf->webserver.acl.a = cJSON_CreateStringReference("<valid ACL>");
          	conf->webserver.acl.f = FLAG_ADVANCED_SETTING;
          	conf->webserver.acl.t = CONF_STRING;
          	conf->webserver.acl.d.s = (char*)"";
          
          	conf->webserver.port.k = "webserver.port";
          	conf->webserver.port.h = "Ports to be used by the webserver.\n Comma-separated list of ports to listen on. It is possible to specify an IP address to bind to. In this case, an IP address and a colon must be prepended to the port number. For example, to bind to the loopback interface on port 80 (IPv4) and to all interfaces port 8080 (IPv4), use \"127.0.0.1:80,8080\". \"[::]:80\" can be used to listen to IPv6 connections to port 80. IPv6 addresses of network interfaces can be specified as well, e.g. \"[::1]:80\" for the IPv6 loopback interface. [::]:80 will bind to port 80 IPv6 only.\n In order to use port 80 for all interfaces, both IPv4 and IPv6, use either the configuration \"80,[::]:80\" (create one socket for IPv4 and one for IPv6 only), or \"+80\" (create one socket for both, IPv4 and IPv6). The + notation to use IPv4 and IPv6 will only work if no network interface is specified. Depending on your operating system version and IPv6 network environment, some configurations might not work as expected, so you have to test to find the configuration most suitable for your needs. In case \"+80\" does not work for your environment, you need to use \"80,[::]:80\".\n If the port is TLS/SSL, a letter 's' must be appended, for example, \"80,443s\" will open port 80 and port 443, and connections on port 443 will be encrypted. For non-encrypted ports, it is allowed to append letter 'r' (as in redirect). Redirected ports will redirect all their traffic to the first configured SSL port. For example, if webserver.port is \"80r,443s\", then all HTTP traffic coming at port 80 will be redirected to HTTPS port 443.";
          	conf->webserver.port.a = cJSON_CreateStringReference("comma-separated list of <[ip_address:]port>");
          	conf->webserver.port.t = CONF_STRING;
          	conf->webserver.port.d.s = (char*)"80,[::]:80,443s,[::]:443s";
          
          	conf->webserver.tls.rev_proxy.k = "webserver.tls.rev_proxy";
          	conf->webserver.tls.rev_proxy.h = "Is Pi-hole running behind a reverse proxy? If yes, Pi-hole will not consider HTTP-only connections being insecure. This is useful if you are running Pi-hole in a trusted environment, for example, in a local network, and you are using a reverse proxy to provide TLS encryption, e.g., by using Traefik (docker). If you are using a reverse proxy, you can alternatively set webserver.tls.cert to the path of the TLS certificate file and let Pi-hole handle true end-to-end encryption.";
          	conf->webserver.tls.rev_proxy.f = FLAG_ADVANCED_SETTING;
          	conf->webserver.tls.rev_proxy.t = CONF_BOOL;
          	conf->webserver.tls.rev_proxy.d.b = false;
          
          	conf->webserver.tls.cert.k = "webserver.tls.cert";
          	conf->webserver.tls.cert.h = "Path to the TLS (SSL) certificate file. This option is only required when at least one of webserver.port is TLS. The file must be in PEM format, and it must have both, private key and certificate (the *.pem file created must contain a 'CERTIFICATE' section as well as a 'RSA PRIVATE KEY' section).\n The *.pem file can be created using\n     cp server.crt server.pem\n     cat server.key >> server.pem\n if you have these files instead";
          	conf->webserver.tls.cert.a = cJSON_CreateStringReference("<valid TLS certificate file (*.pem)>");

Blockhead · October 11, 2023, 7:52pm

Yes. Typo in my question. I'll edit. It's as you stated in my pihole.toml. (I've haven't figure out how to copy from an VM to the M.)

DL6ER · October 11, 2023, 7:55pm

When starting FTL v6.0 for the first time, it should create a new self-signed certificate at

/etc/pihole/tls.pem

Do you see this file?

Please also check our /var/log/pihole/FTL.log for a line like

Generation of SSL/TLS certificate ... failed!

or

Created SSL/TLS certificate for ... at ...

or maybe even

Webserver SSL/TLS certificate ... not found or not readable!

Blockhead · October 11, 2023, 8:06pm

I see tls.pem. Its contents are a key and then a certificate.

I do have "Created SSL/TLS certificate for pi.hole at [the location you gave]"

Grep shows four such instances.

DL6ER · October 11, 2023, 8:13pm

This is fine, I see we are logging this incorrectly every time FTL restarts even if the file has been generated only on the first start. I will soon submit a small fix correcting this.

Back to your problem, how did you install pi-hole? Is it on a dedicated machine or maybe in a virtual environment or even a docker container? Maybe port 443 is simply not reachable from the client you are trying to get to your Pi-hole over TLS.

edit Correlated PR

https://github.com/pi-hole/FTL/pull/1657

Blockhead · October 11, 2023, 8:22pm

Bingo. sudo ufw allow 443/tcp fixed it.

I'm running an Ubuntu 22.04 virtual machine inside Hyper-V on Windows 11.

And I also now see the helpful comments in pihole.toml regarding how to create a private .pem certificate and where to store it.

Thanks!