Unable to get API in Version 6.0 working with SSL Certificates - Python

wavesailor · February 20, 2025, 11:40pm

I've just upgraded to the 6.0 version of Pi-hole. I have a Python program that accesses the API which shows the Pi-hole details on a display. Additionally it allows you to push a button to disable the Pi-hole for 60 seconds.

I get everything to work properly but I get a warning using the following code:

api_payload = {"password": "MY_API_PASSWORD"}
rx = requests.request("POST", 'https://192.168.3.161/api/auth', json=api_payload, verify=False)

The warning is: /home/pi/python/.env/lib/python3.11/site-packages/urllib3/connectionpool.py:1097: InsecureRequestWarning: Unverified HTTPS request is being made to host '192.168.3.161'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings

Now I want to add certificate verification as recommended. I have tried different ways to access the API with certificates but I keep getting errors.

The Pi-hole standard automatic generated certificate, which are stored in /etc/pihole/ and are the following:

-rw-rw----  1 pihole pihole       733 Feb 18 19:14 tls_ca.crt
-rw-rw----  1 pihole pihole       713 Feb 18 19:14 tls.crt
-rw-rw----  1 pihole pihole      1001 Feb 18 19:14 tls.pem

I'm tried using the combination of certificates above to get it to work but no success.

server_cert_path = 'tls_ca.crt'
rx = requests.request("POST", 'https://192.168.3.161/api/auth', json=api_payload, verify=server_cert_path)

Or

server_cert_path = 'tls_ca.crt'
cert_path = 'tls.crt'
rx = requests.request("POST", 'https://192.168.3.161/api/auth', json=api_payload, verify=server_cert_path, cert=cert_path)

Or

cert_path = 'tls.crt'
rx = requests.request("POST", 'https://192.168.3.161/api/auth', json=api_payload, cert=cert_path)

one of the errors I'm getting is this:
Unexpected error: HTTPSConnectionPool(host='192.168.3.161', port=443): Max retries exceeded with url: /api/auth (Caused by SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '192.168.3.161'. (_ssl.c:992)")))

Can any please help me out or direct me to some examples?

rdwebdesign · February 21, 2025, 1:08am

Note 1:

If you are using just local API calls, you don't need to use https. Http will avoid the annoying message.

Note 2:

Sorry, I don't know how to add certificates to python scripts. Maybe someone else can help you.

wavesailor · February 21, 2025, 1:26am

I am doing this from different Raspberry Pi's, so I'd prefer to use https

wavesailor · February 21, 2025, 10:01pm

Okay I figured out what the problem was - it was two fold issue.

First I needed to make sure the Pi-hole's DNS servers were set to 127.0.0.1 I had initially set the server up to use 8.8.8.8, but it needs to be 127.0.0.1 (localhost)

Secondly the Pi-hole installation script automatically created a certificate for the domain pi.hole. So when making a call to the server, you must use the address https://pi.hole/. Remember to copy your certificate over to you code folder. They certificates are stored in /etc/pihole/ and are not readable by users other than pihole
Then you will be able to access the API successfully using the sample code below.

api_payload = {"password": "MY_API_PASSWORD"}
server_cert_path = 'tls_ca.crt'
rx = requests.request("POST", 'https://pi.hole/api/auth', json=api_payload, verify=server_cert_path)

Please note: Remember to delete your session because you can max them out which creates a whole new issue to solve.