SSL for Pi-hole Admin Web-Interface Not Working

praval1983 · April 14, 2020, 2:33pm

Unable to implement SSL for Pi-hole Admin Web-Interface.
Here, I followed guidelines from the documentation.
here is copy of my external.conf file from /etc/lighttpd/ directory.

Debug Token: https://tricorder.pi-hole.net/120iafeuzt

[root@PiHole lighttpd]# cat external.conf
$HTTP["host"] == "PiHole.homelabusa.com" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/ssl/combined.pem"
    ssl.ca-file = "/etc/lighttpd/ssl/chain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

DanSchaper · April 14, 2020, 5:15pm

-rw-r--r--. 1 lighttpd lighttpd 566 Apr 14 08:46 /var/log/lighttpd/error.log
   2020-04-12 03:16:01: (server.c.1785) logfiles cycled UID = 0 PID = 13881 
   2020-04-14 08:45:18: (mod_openssl.c.362) SSL: no certificate/private key for TLS server name pihole.homelabusa.com 
   2020-04-14 08:45:18: (mod_openssl.c.1796) SSL: 1 error:142090EA:SSL routines:tls_early_post_process_client_hello:callback failed 
   2020-04-14 08:46:17: (mod_openssl.c.362) SSL: no certificate/private key for TLS server name pihole.homelabusa.com 
   2020-04-14 08:46:17: (mod_openssl.c.1796) SSL: 1 error:142090EA:SSL routines:tls_early_post_process_client_hello:callback failed

praval1983 · April 14, 2020, 11:42pm

[root@PiHole lighttpd]# cat /etc/lighttpd/external.conf
$HTTP["host"] == "PiHole.homelabusa.com" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/ssl/combined.pem"
    ssl.ca-file = "/etc/lighttpd/ssl/chain.pem"    
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"       
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}
[root@PiHole lighttpd]# ls -allh /etc/lighttpd/ssl/chain.pem
-rw-r--r--. 1 root root 1.7K Apr  1 00:19 /etc/lighttpd/ssl/chain.pem
[root@PiHole lighttpd]# ls -allh /etc/lighttpd/ssl/combined.pem
-rw-r--r--. 1 root root 3.6K Apr  1 00:23 /etc/lighttpd/ssl/combined.pem
[root@PiHole lighttpd]#

DanSchaper · April 15, 2020, 1:08am

That doesn't tell me anything.

praval1983 · April 15, 2020, 2:48am

In /etc/lighttpd/lighttpd.conf, I made following two changes.

commented out include_shell line
added include line

#include_shell "cat external.conf 2>/dev/null"
include "/etc/lighttpd/external.conf"

After that restarted lighttpd service and now I am not getting SSL errors anymore.

[root@PiHole lighttpd]# cat /var/log/lighttpd/error.log
2020-04-14 22:11:05: (server.c.1488) server started (lighttpd/1.4.55)

Then I checked if server is listening on port#443 or not.

[root@PiHole lighttpd]# ss -tpln
State           Recv-Q           Send-Q                      Local Address:Port                     Peer Address:Port                                                                
LISTEN          0                128                               0.0.0.0:5355                          0.0.0.0:*               users:(("systemd-resolve",pid=898,fd=14))           
LISTEN          0                128                               0.0.0.0:80                            0.0.0.0:*               users:(("lighttpd",pid=28913,fd=4))                 
LISTEN          0                32                                0.0.0.0:53                            0.0.0.0:*               users:(("pihole-FTL",pid=4880,fd=7))                
LISTEN          0                128                               0.0.0.0:22                            0.0.0.0:*               users:(("sshd",pid=921,fd=5))                       
LISTEN          0                128                               0.0.0.0:443                           0.0.0.0:*               users:(("lighttpd",pid=28913,fd=5))                 
LISTEN          0                5                               127.0.0.1:4711                          0.0.0.0:*               users:(("pihole-FTL",pid=4880,fd=14))               
LISTEN          0                128                                  [::]:5355                             [::]:*               users:(("systemd-resolve",pid=898,fd=16))           
LISTEN          0                32                                   [::]:53                               [::]:*               users:(("pihole-FTL",pid=4880,fd=9))                
LISTEN          0                128                                  [::]:22                               [::]:*               users:(("sshd",pid=921,fd=7))                       
LISTEN          0                5                                   [::1]:4711                             [::]:*               users:(("pihole-FTL",pid=4880,fd=15))               
[root@PiHole lighttpd]#

When I tried to make secure connection using curl from client computer (macbookpro) to pihole server, connection was refused.

pranav@Pranavs-MacBook-Pro ~ % curl -v --insecure https://pihole.homelabusa.com
*   Trying 192.168.10.50...
* TCP_NODELAY set
* Connection failed
* connect to 192.168.10.50 port 443 failed: Connection refused
* Failed to connect to pihole.homelabusa.com port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to pihole.homelabusa.com port 443: Connection refused
pranav@Pranavs-MacBook-Pro ~ %

What you had posted earlier, definitely helped me fix SSL config for lighttpd.
However, I am still not able to make a secure connection to server.

Next logical thing was to test the secure connection using the loopback interface.

[root@PiHole lighttpd]# openssl s_client -showcerts -connect pihole.homelabusa.com:443 </dev/null
CONNECTED(00000003)
139635973666624:error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:ssl/record/rec_layer_s3.c:1543:SSL alert number 112
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 329 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

I still think that something in lighttpd related SSL config in external.conf is not right.
because we still have following error while testing SSL using openssl.

error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:ssl/record/rec_layer_s3.c:1543:SSL alert number 112

Could you please guide me on proper way to configure SSL for lighttpd ?

DanSchaper · April 15, 2020, 3:09am

Why did you change lighttpd.conf?

Check the files to make sure they actually contain a properly formatted cert and key:

    ssl.pemfile = "/etc/lighttpd/ssl/combined.pem"
    ssl.ca-file = "/etc/lighttpd/ssl/chain.pem"

DanSchaper · April 15, 2020, 3:17am

See for more information. Enabling HTTPS for your Pi-hole Web Interface

You've heavily modified /etc/lighttpd/lighttpd.conf and thus we can not provide support for your modifications.

The configuration file we ship with has a header warning about making changes.

praval1983 · April 15, 2020, 11:36am

I had only modified two lines in /etc/lighttpd/lighttpd.conf.

commented out include_shell line
added include line

#include_shell "cat external.conf 2>/dev/null"
include "/etc/lighttpd/external.conf"

Now, I have rolled back those changes.

Removed comment from include_shell line
Removed include line added earlier.

include_shell "cat external.conf 2>/dev/null"

with that /etc/lighttpd/lighttpd.conf is back to factory default.

praval1983 · April 15, 2020, 11:49am

My external.conf was configured by recommendation from the above link.
Here is copy for quick referance.

[root@PiHole lighttpd]# cat external.conf
$HTTP["host"] == "PiHole.homelabusa.com" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/ssl/combined.pem"
    ssl.ca-file = "/etc/lighttpd/ssl/chain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

Also I have combined.pem in following format.

-----BEGIN RSA PRIVATE KEY-----
<My Private Key>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<My Server certificate>
-----END CERTIFICATE-----

also, chain.pem has Let's Encrypt CA Certificate as per the following.

[root@PiHole lighttpd]# cat "/etc/lighttpd/ssl/chain.pem"
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
[root@PiHole lighttpd]#

Let me know if my external.conf mentioned above looks good.
If yes, the only thing I can try to change is the certificate key format.
i.e. try converting it and see if that helps.

DanSchaper · April 15, 2020, 4:22pm

None of this is in our config file:

   fastcgi.server = ( ".php" =>
                      ( "localhost" =>
                        (
                          "socket" => "/tmp/php-fastcgi.socket",
                          "bin-path" => "/usr/bin/php-cgi"
                        )
                      )
                    )

DanSchaper · April 15, 2020, 4:23pm

Looks fine, but we don't support that configuration. You need to use the existing topic for help.

This will be my last reply.

danb35 · April 20, 2020, 1:16pm

Might it be something as simple as mixed case here, and the name on the cert being all in lowercase?

praval1983 · April 23, 2020, 3:02pm

You were right. it was a simple case of mixed case. I didn't know that lighttpd would be so concerned about it.

After that local test using curl using loopback interface worked but outside box I could not. That made me think that it's got to do with firewall.

[root@PiHole services]# vi /etc/firewalld/services/pihole.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>pihole</short>
  <description>Ports required by pihole</description>
  <port protocol="udp" port="53"/>
  <port protocol="tcp" port="53"/>
  <port protocol="udp" port="67"/>
  <port protocol="tcp" port="80"/>
  <port protocol="tcp" port="443"/>
</service>
[root@PiHole services]# firewall-cmd --zone=public --permanent --add-service=pihole
[root@PiHole services]# firewall-cmd --reload
success

After that i was able to browse website using https://pihole.homelabusa.com/admin/index.php

This issue is resolved for me.