Setting up a TLS (SSL) in V6

borpin · April 16, 2025, 9:32am

Continuing the discussion from Revert to Lighttpd:

Thanks. I tried that and it hasn't helped.

I did find this, Custom TLS for Pihole v6 - how to install your own certificate? but again, hasn't helped.

I have a domain I use for purely internal SSL certificates. The certificates are created automatically with DNS Auth (as they are not routable) with Letsencrypt ACME. Thet are then combined via a deploy hook to wem format (previously worked with Lighttpd.

I have set the domain in pihole to match the domain of the certificate. I did notice a couple of new web.* files appeared when I updated the domain name of the instance.

I am getting a browser security warning and this

I can access via IP address.

[edit]
Also found this - What about enabling HTTPS in Pi-hole v6? - #2 by Bucking_Horn. The link to section 5 of the announcement "with options to provide your own certificates or use auto-generated ones." The docs link 'appears' to still refer to the older interface, though I could be wrong. Doesn't really explain the 'autogenerated ones' bit

Bucking_Horn · April 16, 2025, 10:26am

What docs are you referring to?

I've linked to the Introducing Pi-hole v6 announcement, rather than any documentation.

robgill · April 16, 2025, 8:45am

You can tell pihole the location of your certificates in settings -> click on 'basic' and it will toggle to 'expert'. Then go to All settings select the Webserver and API tab and scroll down to webserver.tls.cert

borpin · April 16, 2025, 10:29am

There was then a link to the docs below that TLS/SSL - Pi-hole documentation

I've changed the domain name in the settings several times and the tls files don't seem to be updated. Is there a way to force regeneration of the locally generated certificates?

~~Also is this expected behaviour?~~ Seems it is.

borpin · April 16, 2025, 10:36am

In simple terms,

I have LetsEncrypt certificates for a domain. How do I get PiHole setup so I can access it, with HTTPS, via that domain name locally (IP address is associated with domain name) without a browser error.

Certificates worked with Lighttpd.

robgill · April 16, 2025, 11:09am

For letsencrypt, the easiest way is to combine the fullchain.pem and privkey.pem as /etc/pihole/tls.pem.

From your relevant directory within /etc/letsencrypt/live
eg /etc/letsencrypt/live/example.com

Copy the certificates to pihole's directory
#cat fullchain.pem privkey.pem > /etc/pihole/tls.pem

You can also set up a cron job to do this to automatically copy your new certs over when they are renewed.

Also set the domain within

webserver.domain in the Webserver and API settings in pihole.

rdwebdesign · April 17, 2025, 12:54am

Pi-hole v6 uses PEM format.

As explained, you need to combine both certificate files as a single file.

robgill's post shows one way to do it.
The web interface shows a very similar method:

borpin · April 17, 2025, 6:06am

HI @robgill, @rdwebdesign

I did exactly this - combined certificates (except I did not save as tls.pem) and added the domain the certificate was issued for. It didn't allow me to access Pi-hole via SSL and the domain name.

Is it a bug?

robgill · April 17, 2025, 6:11am

Did you change the setting webserver.tls.cert to match the filename and path that you did use?

If so, what are the ownership and permissions of the file?

borpin · April 17, 2025, 6:23am

I copied the file to the /etc/pihole folder and chown to pihole:pihole

Once working I'll work out what group to add user pihole to to access the Letsencrypt folder.

borpin · April 17, 2025, 6:32am

So now I feel really stupid.

Went back and checked that I had done everything correctly and I had copied the file as pm rather than pem.

BUT - it accesses the site with the domain name and https but says insecure.

borpin · April 22, 2025, 6:45am

@robgill @rdwebdesign - is it expected behaviour that Edge thinks part of the 'site' are not secure even with a LetsEncrypt certificate in place on the server?

robgill · April 22, 2025, 8:49am

Are you trying to access it using pi.hole (as in your image above)? It would be expected to throw an error in that case (or via the ip) if you are using a certificate for another domain. It should not report it as insecure if you are accessing it via the domain name of the certificate.

borpin · April 23, 2025, 6:28am

I am using a domain ('pihole.xyz.net') for the VM Pi-hole is on and the certificate is issued for that domain.

The domain is LAN only and non-routeable (certificate done via DNS authentication).

It worked fine with Lighttpd.

~~I note the warning says 'some parts of this site are not secure'. I only have Pi-hole installed on this VM.~~

Well it seems to have decided all is well and the warning has gone. very odd! Thanks for your help.

system · May 14, 2025, 6:28am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.