[Solved] Cannot install Pihole on Raspbian Stretch Lite

Please follow the below template, it will help us to help you!

Expected Behaviour:

I should be able to install Pi-hole

Actual Behaviour:

When executing curl -sSL https://install.pi-hole.net | bash on a fresh install of Raspbian Lite, I get the flowing error message:

pi@raspberrypi:~ $ curl -sSL https://install.pi-hole.net | bash
curl: (35) Unknown SSL protocol error in connection to install.pi-hole.net:443

Debug Token:

Not applicable, as I cannot install Pi-hole.

Hi there, just a quick summary. I have a Raspberry Pi 3 with a fresh install of Raspbian Stretch Lite (which as been updated) and every time I try to install Pi-hole I get the message above.

Any ideas??

Prior to install, run sudo apt-get update and sudo apt-get upgrade

I have a feeling your curl needs an update.

I've just updated (and tested) a full manual, installing pihole on raspbian lite. you can find it here. If you are using the march 2018 release of raspbian, I fully understand your problem(s). Make your life easy and download the april 2018 release here.

Some people have reported the site (users.telenet.be) of the manual being piholed, you may need to whitelist it.

I ran those two commands, but there are no updates available:

pi@raspberrypi:~ $ sudo apt-get update
Hit:1 http://raspbian.raspberrypi.org/raspbian stretch InRelease
Hit:2 http://archive.raspberrypi.org/debian stretch InRelease
Reading package lists... Done
pi@raspberrypi:~ $ sudo apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Is there a specific version of curl I need? Currently on 7.52.1:

pi@raspberrypi:~ $ curl -V
curl 7.52.1 (arm-unknown-linux-gnueabihf) libcurl/7.52.1 OpenSSL/1.0.2l zlib/1.2.8 libidn2/0.16 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.7.0 nghttp2/1.18.1 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

What is the curl command that you are using? Is it curl -sSL? And can you curl -IsSL https://install.pi-hole.net and get back some headers from the site?

Edit: I see you are doing the -sSL from your post, sorry. Try the I flag to just check in terminal.

Also, check the date on the Pi, make sure it's current as that sometimes will cause issues with TLS connections.

I was using the April release, but still have some issues. I took a look at the link you provided, and ran the following:

pi@raspberrypi:~ $ wget -O basic-install.sh https://install.pi-hole.net
pi@raspberrypi:~ $ chmod +x basic-install.sh
pi@raspberrypi:~ $ sudo ./basic-install.sh

Which did let me get o the setup, however, I then ran into this error:

[i] FTL Checks...
[✓] Detected ARM-hf architecture (armv7+)
[i] Checking for existing FTL binary...
[✗] Downloading and Installing FTL
Error: Unable to get latest release location from GitHub
[✗] FTL Engine not installed

[i] Skipping firewall configuration
[i] Restarting services...

[✓] Starting dnsmasq service

[✓] Enabling dnsmasq service to start on reboot

[✓] Starting lighttpd service

[✓] Enabling lighttpd service to start on reboot

[i] Starting pihole-FTL service...pi@raspberrypi:~ $ 

It just stopped at the prompt. I can open a web browser and navigate to the IP or my Pi-hole install, but it shows me a "Lost connection to API" message:

2018-04-21%2014_28_11-Pi-hole%20Admin%20Console1016×192 13.1 KB

Just to test, I am able to ping github.com from Raspbian:

pi@raspberrypi:~ $ ping -c 4 github.com
PING github.com (192.30.253.112) 56(84) bytes of data.
64 bytes from lb-192-30-253-112-iad.github.com (192.30.253.112): icmp_seq=1 ttl=53 time=28.3 ms
64 bytes from lb-192-30-253-112-iad.github.com (192.30.253.112): icmp_seq=2 ttl=53 time=28.8 ms
64 bytes from lb-192-30-253-112-iad.github.com (192.30.253.112): icmp_seq=3 ttl=53 time=28.2 ms
64 bytes from lb-192-30-253-112-iad.github.com (192.30.253.112): icmp_seq=4 ttl=53 time=28.6 ms

--- github.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 28.288/28.527/28.887/0.246 ms

Kinda stumped on what's happening here. I have an old Raspberry Pi 2B (with Jessie) that installed Pi-hole just fine...

Yes, I was using curl -sSL
Running curl -IsSL https://install.pi-hole.net gives me the initial error I had:

pi@raspberrypi:~ $ curl -IsSL https://install.pi-hole.net
curl: (35) Unknown SSL protocol error in connection to install.pi-hole.net:443

I thought that initially, but the date is correct:

pi@raspberrypi:~ $ date
Sat 21 Apr 14:35:43 EDT 2018

Can you try a bare curl -I https://install.pi-hole.net and see if you even get the first hop to the load balancer?

And just to check, can you run:

 apt-cache policy ca-certificates

If this still ends up as a failure we can do curl -vI https://install.pi-hole.net and that should show what step in the process things are failing.

pi@raspberrypi:~ $ curl -I https://install.pi-hole.net
curl: (35) Unknown SSL protocol error in connection to install.pi-hole.net:443

Okay, try the verbose connection printing curl -vI https://install.pi-hole.net and we can walk it through.

pi@raspberrypi:~ $ curl -vI https://install.pi-hole.net
* Rebuilt URL to: https://install.pi-hole.net/
*   Trying 104.236.99.8...
* TCP_NODELAY set
* Connected to install.pi-hole.net (104.236.99.8) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=pi-hole.net
*  start date: Feb 21 19:36:11 2018 GMT
*  expire date: May 22 19:36:11 2018 GMT
*  subjectAltName: host "install.pi-hole.net" matched cert's "install.pi-hole.net"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x1fc8e48)
> HEAD / HTTP/1.1
> Host: install.pi-hole.net
> User-Agent: curl/7.52.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 301
HTTP/2 301
< server: nginx/1.12.2
server: nginx/1.12.2
< date: Sat, 21 Apr 2018 18:42:05 GMT
date: Sat, 21 Apr 2018 18:42:05 GMT
< content-type: text/html
content-type: text/html
< content-length: 185
content-length: 185
< location: https://raw.githubusercontent.com/pi-hole/pi-hole/master/automated%20install/basic-install.sh
location: https://raw.githubusercontent.com/pi-hole/pi-hole/master/automated%20install/basic-install.sh
< strict-transport-security: max-age=31536000; includeSubDomains
strict-transport-security: max-age=31536000; includeSubDomains
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
x-content-type-options: nosniff
< referrer-policy: strict-origin
referrer-policy: strict-origin

<
* Curl_http_done: called premature == 0
* Connection #0 to host install.pi-hole.net left intact

That matches what I'm seeing on a confirmed good configuration, down the the version of curl. Next would be to try curl -vsISL https://install.pi-hole.net to see the full path to the asset.

pi@raspberrypi:~ $ curl -vsISL https://install.pi-hole.net
* Rebuilt URL to: https://install.pi-hole.net/
*   Trying 45.76.128.97...
* TCP_NODELAY set
* Connected to install.pi-hole.net (45.76.128.97) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=pi-hole.net
*  start date: Feb 21 19:36:11 2018 GMT
*  expire date: May 22 19:36:11 2018 GMT
*  subjectAltName: host "install.pi-hole.net" matched cert's "install.pi-hole.net"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x11a4e48)
> HEAD / HTTP/1.1
> Host: install.pi-hole.net
> User-Agent: curl/7.52.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 301
HTTP/2 301
< server: nginx/1.12.2
server: nginx/1.12.2
< date: Sat, 21 Apr 2018 18:45:11 GMT
date: Sat, 21 Apr 2018 18:45:11 GMT
< content-type: text/html
content-type: text/html
< content-length: 185
content-length: 185
< location: https://raw.githubusercontent.com/pi-hole/pi-hole/master/automated%20install/basic-install.sh
location: https://raw.githubusercontent.com/pi-hole/pi-hole/master/automated%20install/basic-install.sh
< strict-transport-security: max-age=31536000; includeSubDomains
strict-transport-security: max-age=31536000; includeSubDomains
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
x-content-type-options: nosniff
< referrer-policy: strict-origin
referrer-policy: strict-origin

<
* Curl_http_done: called premature == 0
* Connection #0 to host install.pi-hole.net left intact
* Issue another request to this URL: 'https://raw.githubusercontent.com/pi-hole/pi-hole/master/automated%20install/basic-install.sh'
*   Trying 151.101.0.133...
* TCP_NODELAY set
* Connected to raw.githubusercontent.com (151.101.0.133) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=www.github.com
*  start date: Mar 23 00:00:00 2017 GMT
*  expire date: May 13 12:00:00 2020 GMT
*  subjectAltName: host "raw.githubusercontent.com" matched cert's "*.githubusercontent.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
*  SSL certificate verify ok.
> HEAD /pi-hole/pi-hole/master/automated%20install/basic-install.sh HTTP/1.1
> Host: raw.githubusercontent.com
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
< Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< X-Frame-Options: deny
X-Frame-Options: deny
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
< ETag: "3152d9c14856c41f9b70422a566c96beaa4868a8"
ETag: "3152d9c14856c41f9b70422a566c96beaa4868a8"
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8
< Cache-Control: max-age=300
Cache-Control: max-age=300
< X-Geo-Block-List:
X-Geo-Block-List:
< X-GitHub-Request-Id: FF46:6A6A:18672E:1A1122:5ADB86B9
X-GitHub-Request-Id: FF46:6A6A:18672E:1A1122:5ADB86B9
< Content-Length: 81119
Content-Length: 81119
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Date: Sat, 21 Apr 2018 18:45:13 GMT
Date: Sat, 21 Apr 2018 18:45:13 GMT
< Via: 1.1 varnish
Via: 1.1 varnish
< Connection: keep-alive
Connection: keep-alive
< X-Served-By: cache-yyz8330-YYZ
X-Served-By: cache-yyz8330-YYZ
< X-Cache: MISS
X-Cache: MISS
< X-Cache-Hits: 0
X-Cache-Hits: 0
< X-Timer: S1524336314.771611,VS0,VE29
X-Timer: S1524336314.771611,VS0,VE29
< Vary: Authorization,Accept-Encoding
Vary: Authorization,Accept-Encoding
< Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: *
< X-Fastly-Request-ID: 97f8b4259639c18aae1397b5147671ca0ebaf9ff
X-Fastly-Request-ID: 97f8b4259639c18aae1397b5147671ca0ebaf9ff
< Expires: Sat, 21 Apr 2018 18:50:13 GMT
Expires: Sat, 21 Apr 2018 18:50:13 GMT
< Source-Age: 0
Source-Age: 0

<
* Curl_http_done: called premature == 0
* Connection #1 to host raw.githubusercontent.com left intact
pi@raspberrypi:~ $

Last to check would be curl -vsSL https://install.pi-hole.net and that should display the installer script for you. (Just remove the I from the previous call.)

pi@raspberrypi:~ $ curl -vsSL https://install.pi-hole.net
* Rebuilt URL to: https://install.pi-hole.net/
*   Trying 104.236.99.8...
* TCP_NODELAY set
* Connected to install.pi-hole.net (104.236.99.8) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to install.pi-hole.net:443
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to install.pi-hole.net:443

Let me check that particular load balancer and see if there is something not correct on it. You get either of two servers and one may be misbehaving and the good tests that have passed may be for another node.