I have Pihole 6.0.6 installed directly on a Pi 3b+.
It is working fine, and the new 6.x has TLS set up which is great. Can I replace the certificate with my own certificate? I have mkcert and I have put the ROOT CA in my devices. Currently, there is no trust configured or the pihole server. If I can just put my own cert in there, then trust will be sorted for all of my devices.
Is it possible for me to supply my own TLS cert for Pihole 6.0? If so, is there any instructions on where I put the PEM files?
By default Pi-holes certificate is located at /etc/pihole/tls.pem.
You can change the certificate in the Web Interface at:
Settings < All Settings < Webserver and API < webserver.tls.cert in Expert Mode
The file has to be in .pem form (like mentioned in the description) and be readable by the user pihole.
When using a different domain name than pi.hole its recommended to change webserver.domain as well.
(Also at Settings < All Settings < Webserver and API)
I did that. I put my new cert into
/etc/pihole/pihole.pem
I then changed that in the UI as you pictured above.
I then changed the webserver.domain to the correct value.
I clicked save.
The saving animation never ended.
Now I cannot view the Pihole admin UI from anywhere.
I tried: http://pihole.lan/admin --> 403 Forbidden https://pihole.lan/admin --> Unable to connect https://pihole.lan:8443/admin --> Unable to connect
IP address is te same set of errors.
Is there any way to back out this change?
I even tried just copying the tls.pem over my new pem file, which should have returned to the old certificate, but that did not help.
OK I have rolled back by editing this file:
/etc/pihole/pihole.toml
It required a reboot to get the web UI working again.
I believe the issue is that Pihole requires some different type of PEM certificate than the one I generated.
I used mkcert to generate my certificate. This creates the key file and the certificate file. I combined the two into one file, key then certificate. I placed that file in the same folder as the default tls.pem. I then edited the pihole.toml file above to point to that PEM file,saved, and restarted lighttpd. At this point, https is still working, but it is not using my supplied certificate, and it is no longer using the pihole default certificate. So it looks like my PEM file, created from mkcert, and merged key and cert to one file is not working.
I do notice that the original Pihole pem file starts with
-----BEGIN EC PRIVATE KEY-----
But my pihole pem file starts with
-----BEGIN PRIVATE KEY-----
I am unsure how to get that type of pem file from mkcert.
You have to generate an ecdsa cert for Pihole. With mkcert, this is how you do that. The example below allows you to use the ip address or the name with trusted CA root. Replace with your name and IP address...
mkcert -ecdsa pihole.lan 192.160.0.33
Then concatenate the key and the cert into one pem file.
# Bash command to concatenate
cat pihole.lan+1-key.pem pihole.lan+1.pem > pihole.pem
In order to get the permissions correct, I just copied the existing tls file to a new pem file, then copied the contents of my pem file into that file
I then edited the pihole config file to reference this new pem file, and restarted Pihole FTL service
sudo nano /etc/pihole/pihole.toml
# Ctrl + W to search for "pem" and edit that value to "/etc/pihole/pihole.pem", then save the file
# Restart the service
sudo service pihole-FTL restart
Now, for the root CA to be trusted on the browsing device, note that a couple of things must be done.
"mkcert -install" only places the root CA in your user store. Browsers will not trust this. You have to put it in the machine store.
Firefox based browsers do not trust your self signed certs by default. You have to open settings, "Privacy & Security, and tick "Allow Zen to automatically trust third-party root certificates you install". If using a Chrome based browser and it still does not trust the root CA, you may have a similar setting?
