SSL configuration not working for lighttpd

Moderator edit: With regards to Enabling HTTPS for your Pi-hole Web Interface

For anyone updating from an older version of pihole please note that the external.conf file needs to be placed either into

/etc/lighttpd/conf-enabled

or else into

/etc/lighttpd/conf-available

and then symlinked to conf-enabled.

This little wrinkle caught me out as I had previously solved the TLS issue but at that stage the external.conf file could be left in the /etc/lighttpd folder as lighttpd.conf was "including" from there.

FYI, you have the lighty-enable-mod and lighty-disable-mod commands available for symlinking config files contained in conf-available to conf-enabled:

pi@ph5b:~ $ man lighty-enable-mod
[..]
DESCRIPTION
       This  manual  page  documents  briefly  the  lighty-enable-mod  and
       lighty-disable-mod commands.

       lighty-enable-mod  and  lighty-disable-mod are programs that enable
       (and respectively disable) the specified configuration file  within
       lighttpd configuration.

       Both programs can be run interactively or from command line. If ei‐
       ther program is called without any arguments, an  input  prompt  is
       displayed  to  the  user,  where  he  might  choose among available
       lighttpd modules. Immediate action is taken, if a module  name  was
       given on the command line.
[..]

I can not confirm such a requirement:
My custom options in external.conf are fully applied (but then those are not related to TLS).

That's still the case, as Pi-hole's lighttdp.conf still contains:

68:# Add user chosen options held in external file
69:# This uses include_shell instead of an include wildcard for compatibility
70:include_shell "cat external.conf 2>/dev/null"

@Bucking_Horn

Is it possible we have conflicting versions?

I'm on Pi-hole v5.11.4, FTL v5.16.1 Web interface v5.13 Lighttpd 1.4.59

This whole issue with Lighttpd started when I upgraded my Pi-hole OS to the latest PiOS by using a new image and then reinstalling Pi-hole. I prefer to access my web interface on HTTPS (yes, i know it's overkill :grinning:) so then set about modding my external.conf to suit. Note as well that I also needed to reinstall mod-openssl

sudo apt-get reinstall lighttpd-mod-openssl

My /etc/lighttpd/lighttpd.conf definitely only has the line

include "/etc/lighttpd/conf-enabled/*.conf"

and lighttpd only starts with my TLS requirements enabled when my external.conf is in this directory.

This is my external.conf.

  server.modules += ( "mod_openssl" )

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
	ssl.engine = "enable"
	ssl.pemfile = "/usr/local/share/ca-certificates/pi-hole.pem"
	ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-ServerPreference")
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
	$HTTP["host"] =~ ".*" {
  		url.redirect = (".*" => "https://%0$0")
	}
  }
}

Thanks for the tip @deHakkelaar :+1:

1 Like

That lighttpd.conf wasn't created by Pi-hole.
I'm going to split your posts into a separate topic, so we can follow this through as a separate issue.

EDIT: Done.

Note that `lighttpd.conf` should not be edited at all, as per disclaimer at the top of that file (click for disclaimer):
###############################################################################
#     FILE AUTOMATICALLY OVERWRITTEN BY PI-HOLE INSTALL/UPDATE PROCEDURE.     #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
#                                                                             #
#              CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE:              #
#                         /etc/lighttpd/external.conf                         #
###############################################################################

My guess would be that reinstalling lighttpd-mod-openssl may have overwritten lighttpd.conf as generated by Pi-hole (which would contain the aforementioned disclaimer to a total of about 100 lines).

Try running

pihole -r

with Repair.

@Bucking_Horn

You are correct about the lightpd.conf. I actually run 2 pi-holes here for 2 separate networks. I have yet to update the other one's OS and when I checked their 2 lighttpd.conf's the one I was working on does NOT have the PiHole disclaimer.

I have just run

pihole -r 

choosing the repair option which has reinstated the pihole's lighttpd.conf. I have also moved my external.conf back into the /etc/lighttpd folder. The mods I made to get the external.conf working with the other lighttpd.conf were no longer valid and I have modified it accordingly.

This external.conf works correctly in that HTTPS access to the pi-hole is working but this thread does highlight that I am no expert so there may be other mods/tweaks which would make this even better? :slightly_smiling_face:

server.modules += ( "mod_openssl" )

$HTTP["host"] == "pi-hole.paradigm.local" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/usr/local/share/ca-certificates/pi-hole.pem"
        ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-ServerPreference")
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
        $HTTP["host"] =~ ".*" {
                url.redirect = (".*" => "https://%0$0")
        }
  }
}

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.