SSL for Pi-hole Web-Interface Not Working

Expected Behaviour:

I would like to be able to access the Pi-hole Admin-Web-Interface via a self signed SSL certificate.
In order to to that, I followed those instructions:
Enabling HTTPS for your Pi-hole Web Interface
Setting up SSL with pihole, without a FQDN

In the admin panel, I set a local dns to redirect pi.myname.eu to the local ip-adress of my raspberry pi.

Then I changed the /etc/lighttpd/external.conf to:

$HTTP["host"] == "rpi.myname.eu" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/ssl/combined.pem"
    ssl.ca-file =  "/etc/lighttpd/ssl/ca.crt.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"       
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

Actual Behaviour:

When restarting lighttpd, an error occurs:

Job for lighttpd.service failed because the control process exited with error code.
See "systemctl status lighttpd.service" and "journalctl -xe" for details

pihole -d gives me:

*** [ DIAGNOSING ]: Pi-hole processes
[✗] lighttpd daemon is failed
[✓] pihole-FTL daemon is active

*** [ DIAGNOSING ]: Pi-hole-FTL full status
   ● pihole-FTL.service - LSB: pihole-FTL daemon
     Loaded: loaded (/etc/init.d/pihole-FTL; generated)
     Active: active (exited) since Wed 2022-06-08 11:11:38 CEST; 4h 53min ago
       Docs: man:systemd-sysv-generator(8)
    Process: 29080 ExecStart=/etc/init.d/pihole-FTL start (code=exited, status=0/SUCCESS)
        CPU: 518ms

Jun 08 11:11:31 MRP systemd[1]: Starting LSB: pihole-FTL daemon...
Jun 08 11:11:31 MRP pihole-FTL[29080]: Not running
Jun 08 11:11:31 MRP su[29090]: (to pihole) root on none
Jun 08 11:11:31 MRP su[29090]: pam_unix(su:session): session opened for user pihole(uid=999) by (uid=0)
Jun 08 11:11:38 MRP systemd[1]: Started LSB: pihole-FTL daemon.

*** [ DIAGNOSING ]: Setup variables
    PIHOLE_INTERFACE=eth0
    IPV4_ADDRESS=192.168.0.44/24
    IPV6_ADDRESS= [. . .]
    PIHOLE_DNS_1=208.67.222.222
    PIHOLE_DNS_2=208.67.220.220
    QUERY_LOGGING=true
    INSTALL_WEB_SERVER=true
    INSTALL_WEB_INTERFACE=true
    LIGHTTPD_ENABLED=true
    CACHE_SIZE=10000
    DNS_FQDN_REQUIRED=true
    DNS_BOGUS_PRIV=true
    DNSMASQ_LISTENING=local
    BLOCKING_ENABLED=true
    ADMIN_EMAIL=[. . .]
    WEBUIBOXEDLAYOUT=boxed
    WEBTHEME=default-auto

*** [ DIAGNOSING ]: Dashboard and block page
[✗] Block page X-Header: X-Header does not match or could not be retrieved.

[✗] Web interface X-Header: X-Header does not match or could not be retrieved.

When I delete the content of /etc/lighttpd/external.conf, everything works again, after a restart.

Debug Token:

https://tricorder.pi-hole.net/CTOw3661/

Thank you very much in advance.

PS: Im quite new to the this stuff.

Did you check above recommendation?
Also you could run below to have lighttpd check configuration and modules:

sudo lighttpd -tt -f /etc/lighttpd/lighttpd.conf

This is documented in the man page:

pi@ph5b:~ $ man lighttpd
[..]
       -f  configfile
               Load configuration file configfile.
[..]
       -tt     Test  the  configuration file for syntax errors, load and
               initialize modules, and exit.

Thank's a lot for your response.

THAT, sounds like something useful.

$ sudo lighttpd -tt -f /etc/lighttpd/lighttpd.conf

2022-06-08 18:38:47: configfile.c.255) Warning: please add "mod_openssl" to server.modules list in lighttpd.conf. A future release of lighttpd 1.4.x will not automatically load mod_openssl and lighttpd will not use SSL/TLS where your lighttpd.conf contains ssl.* directives

2022-06-08 18:38:47: plugin.c.195) dlopen() failed for: /usr/lib/lighttpd/mod_openssl.so /usr/lib/lighttpd/mod_openssl.so: cannot open shared object file: No such file or directory

2022-06-08 18:38:47: server.c.1238) loading plugins finally failed

Apparently I need a server module called mod_openssl to the /etc/lighttpd/external.conf, because it is not longer loaded automatically.
I will try to figure out to add this properly to the .conf, however advise is always welcome.

I already checked both of the other commands, but I couldn't figure anything out:

$ systemctl status lighttpd.service

**●** lighttpd.service - Lighttpd Daemon

Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; vendor preset: enabled)

Active: **failed** (Result: exit-code) since Wed 2022-06-08 18:33:14 CEST; 2s ago

Process: 15970 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf **(code=exited, status=255/EXCE** >

CPU: 530ms

Jun 08 18:33:14 MRP systemd[1]: lighttpd.service: Scheduled restart job, restart counter is at 5.

Jun 08 18:33:14 MRP systemd[1]: Stopped Lighttpd Daemon.

Jun 08 18:33:14 MRP systemd[1]: **lighttpd.service: Start request repeated too quickly.**

Jun 08 18:33:14 MRP systemd[1]: **lighttpd.service: Failed with result 'exit-code'.**

Jun 08 18:33:14 MRP systemd[1]: **Failed to start Lighttpd Daemon.**

$ journalctl -xe

Jun 08 18:33:13 MRP lighttpd[15970]: 2022-06-08 18:33:13: plugin.c.195) dlopen() failed for: /usr/lib/lighttpd/mod_o>

Jun 08 18:33:13 MRP lighttpd[15970]: 2022-06-08 18:33:13: server.c.1238) loading plugins finally failed

Jun 08 18:33:13 MRP systemd[1]: **lighttpd.service: Control process exited, code=exited, status=255/EXCEPTION**

░░ Subject: Unit process exited

░░ Defined-By: systemd

░░ Support: https://www.debian.org/support

░░

░░ An ExecStartPre= process belonging to unit lighttpd.service has exited.

░░

░░ The process' exit code is 'exited' and its exit status is 255.

Jun 08 18:33:13 MRP systemd[1]: **lighttpd.service: Failed with result 'exit-code'.**

░░ Subject: Unit failed

░░ Defined-By: systemd

░░ Support: https://www.debian.org/support

░░

░░ The unit lighttpd.service has entered the 'failed' state with result 'exit-code'.

Jun 08 18:33:13 MRP systemd[1]: **Failed to start Lighttpd Daemon.**

░░ Subject: A start job for unit lighttpd.service has failed

░░ Defined-By: systemd

░░ Support: https://www.debian.org/support

░░

░░ A start job for unit lighttpd.service has finished with a failure.

░░

░░ The job identifier is 15857 and the job result is failed.

Jun 08 18:33:14 MRP systemd[1]: lighttpd.service: Scheduled restart job, restart counter is at 5.

░░ Subject: Automatic restarting of a unit has been scheduled

░░ Defined-By: systemd

░░ Support: https://www.debian.org/support

░░

░░ Automatic restarting of the unit lighttpd.service has been scheduled, as the result for

░░ the configured Restart= setting for the unit.

Jun 08 18:33:14 MRP systemd[1]: Stopped Lighttpd Daemon.

░░ Subject: A stop job for unit lighttpd.service has finished

░░ Defined-By: systemd

░░ Support: https://www.debian.org/support

░░

░░ A stop job for unit lighttpd.service has finished.

░░

░░ The job identifier is 15925 and the job result is done.

Jun 08 18:33:14 MRP systemd[1]: **lighttpd.service: Start request repeated too quickly.**

Jun 08 18:33:14 MRP systemd[1]: **lighttpd.service: Failed with result 'exit-code'.**

░░ Subject: Unit failed

░░ Defined-By: systemd

░░ Support: https://www.debian.org/support

░░

░░ The unit lighttpd.service has entered the 'failed' state with result 'exit-code'.

Jun 08 18:33:14 MRP systemd[1]: **Failed to start Lighttpd Daemon.**

░░ Subject: A start job for unit lighttpd.service has failed

░░ Defined-By: systemd

░░ Support: https://www.debian.org/support

░░

░░ A start job for unit lighttpd.service has finished with a failure.

░░

░░ The job identifier is 15925 and the job result is failed.

Add it to below block/segment:

pi@ph5b:~ $ cat /etc/lighttpd/lighttpd.conf
[..]
server.modules = (
    "mod_access",
    "mod_accesslog",
    "mod_auth",
    "mod_expire",
    "mod_redirect",
    "mod_setenv",
    "mod_rewrite"
)

Restart lighttpd:

sudo service lighttpd restart

And check again:

sudo lighttpd -tt -f /etc/lighttpd/lighttpd.conf

journalctl -u lighttpd

EDIT: Ow it might also work if you add a server.modules section in the external.conf file but I wouldn't know exact syntax.
This because a Pi-hole update or reconfigure could overwrite changes made in that lighttpd.conf file.

pi@ph5b:~ $ apt-file search mod_openssl.so
lighttpd-mod-openssl: /usr/lib/lighttpd/mod_openssl.so

Also check if below package is installed:

apt policy lighttpd-mod-openssl

If not installed, you can install with:

sudo apt install lighttpd-mod-openssl

And restart lighttpd.

sudo service lighttpd restart

EDIT: Ow maybe you need to enable it first before restarting lighttpd:

sudo lighttpd-enable-mod mod_openssl

One can add to the modules list with syntax like (from my external.conf):

server.modules += (
  "mod_deflate",
  "mod_openssl",
  "mod_proxy"
)

Thank's a lot to both of you.
Both where part of the problem. First I had to install lighttpd-mod-openssl and then I added it to the /etc/lighttpd/external.conf, which now looks like that:

 server.modules += ( # Needs to be above the $HTTP["host"] block, not within!
     "mod_openssl"
 )
$HTTP["host"] == "rpi.myname.eu" {
# server.modules += (
#     "mod_openssl"
# )

# Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/ssl/combined.pem"
    ssl.ca-file =  "/etc/lighttpd/ssl/ca.crt.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
 # ssl.use-sslv2 = "disable" # deprecated
 # ssl.use-sslv3 = "disable" # deprecated
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

After a minute or so, the admin panel was reachable via SSL.

The only remaining thing is, that I get a couple of warnings:

pi@rpi : ~ $ sudo lighttpd -tt -f /etc/lighttpd/lighttpd.conf

2022-06-08 19:31:04: configfile-glue.c.298) DEPRECATED: do not set server options in conditionals, variable: server.modules

2022-06-08 19:31:04: mod_openssl.c.2475) SSL: ssl.use-sslv2 is deprecated and will soon be removed. It is disabled by default. Many modern TLS libraries no longer support SSLv2.

2022-06-08 19:31:04: mod_openssl.c.2482) SSL: ssl.use-sslv3 is deprecated and will soon be removed. It is disabled by default. Many modern TLS libraries no longer support SSLv3.

2022-06-08 19:31:04: configfile.c.1142) WARNING: unknown config-key: alias.url (ignored)

Probably only the first one could become a future problem ...

EDIT: Made changes to the /etc/lighttpd/external.conf so that the first three warnings disappear.

I have my server.modules declaration as a 'top-level' item. In your case, you can move it 'outside' the $HTTP["host"] block.

Excellent! After doing that and removing both the lines with SSLv2 and SSLv3 only the very last warning remains. I'm fine with that.

Found explanation below:

Certain lighttpd options, particularly those about processing the request line, must be set before the request is parsed, so that they get applied to the parsing rules of the request line.

Waiting for the request line to be parsed, to then match a condition like /admin, is ... wait for it ... too late, since the request line has already been parsed.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.