Hi folks,
Is there a guide on installing Let's Encrypt for this new version?
Thanks, T
1 Like
Not that I know of. But I don't know if it is necessary because Let's Encrypt would require someway to validate the domain name used. So, a self-signed certificate from certbot would be the same as the auto-generated self-signed certificate.
But let's say you have access to change the domain name records of example.com and had certbot installed.
pihole.toml instructs
Path to the TLS (SSL) certificate file. This option is only required when at least one of webserver.port is TLS. The file must be in PEM format, and it must have both, private key and certificate (the *.pem file created must contain a 'CERTIFICATE' section as well as a 'RSA PRIVATE KEY' section).
The *.pem file can be created using
cp server.crt server.pem
cat server.key >> server.pem
if you have these files instead
Possible values are:
<valid TLS certificate file (*.pem)>
cert = "/etc/pihole/tls.pem"
In your local terminal run:
certbot certonly --manual -d pihole.example.com --agree-tos --preferred-challenges dns-01
Follow the prompts and DNS challenge.
Certbot will then generate files at (check certbot output for paths):
/etc/letsencrypt/live/pihole.example.com/fullchain.pem
/etc/letsencrypt/live/pihole.example.com/privkey.pem
sudo cat /etc/letsencrypt/live/pihole.example.com/fullchain.pem
/etc/letsencrypt/live/pihole.example.com/privkey.pem > /etc/pihole/server.pem
Then, update pihole.toml at
sudo nano /etc/pihole/pihole.toml
replace domain = "pi.hole" with domain = "pihole.example.com"
replace cert="/etc/pihole/tls.pem" with cert = "/etc/pihole/server.pem"
sudo pihole restartdns
Next, find someway to locally resolve pihole.example.com to your local computer. One way is to add a local DNS record under settings for pihole.example.com to IP of your pihole.
Tada - browsing to pihole.example.com shows the happy lock!
(Because it is certonly and you have to concatenate, it won't automatically refresh, and you'll have to do this again every three months.)
So I have a cert by certbot already, however, unsure how to install this on pihole? are you able to help?
I've now complete my response above. Hope it helps.
This is useful, thank you. However, I get the following error now?
<> uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I'm not sure how to troubleshoot that with a local server certificate. You could try basic options like clearing the cache:
Clear the SSL State In Chrome
Another thing to try is clearing the SSL state in Chrome. This can sometimes help if things get out of sync. To clear the SSL state in Chrome on Windows, follow these steps:
- Click the Google Chrome – Settings icon (Settings) icon, and then click Settings.
- Click Show advanced settings.
- Under Network, click Change proxy settings. The Internet Properties dialog box appears.
- Click the Content tab.
- Click “Clear SSL state”, and then click OK.
- Restart Chrome.
Unfortunately not working 
Probably a certificate error. Maybe going back in and checking the concatenation. The key should be at the end of the file.
In /etc/pihole/server.pem it goes
-BEGIN CERT-
<< CERT >>
-END CERT-
-BEGIN CERT-
<< CERT >>
-END CERT-
-BEGIN CERT-
<< CERT >>
-END CERT-
-BEGIN PRIVATE KEY-
<< KEY >>
-END PRIVATE KEY-
Is this correct?
That looks right if it has a blank line at the bottom
I optimized the instructions above. Please try those. Maybe some of the settings (server, key size) caused issues for your setup?
Unfortunately same error still 
For troubleshooting, try:
sudo apt-get install testssl.sh
testssl pihole.example.com (for your domain)
Pi-hole's embedded webserver uses mbedTLS for the cryptographic parts. We follow the NSA Suite B recommendations for combination of allowed encryption/signatures/key exchange/message digest. It is possible that the certificate generated by certbot isn't compatible with this, leading to your browser rejecting the certificate.
Please try other browsers and see if the issue persists. Especially Chrome is rather picky about supported ciphers (e.g., Chrome rejects secp521r1 while Firefox accepts it without any issues).
If you wouldn't mind sharing your certificate and domain with me (in a private message), I can use it to diagnose your particular case. If you don't want to share it (that's okay, too), I will look into using certbot to create a certificate for a domain I own and use this for testing (but this does not ensure I will see the same issue). It's your choice. You should first try @Blockhead's last suggestion, though.
To make the choice a bit more unfair, I will add that diagnosing with a given certificate will be faster than when I first have to configure something on my own - it will likely take me a few days as there are so many other things going on right now.
Thanks for sending the files via PM. From those, I see that the generated key is an RSA 2048 bit key. However, the recommended NSA B suite (see above) disallows the usage of RSA and mandates ECDSA digital signatures only.
Being aware of that the combination of Pi-hole with Let's Encrypt (and, hence, RSA keys) is worthwhile having, I will propose to relax the very strict Pi-hole commitment to the NSA Suite B to a much broader "default" cipher suite. This will allow compatibility with your keys.
1 Like
The change has been accepted and merged, the next update of the development-v6 branch will contain this change for you to try (+/- half an hour from now).
Can confirm this is now working.