V6 self-signed certificate issues

Aran_Shavit · October 25, 2024, 2:14pm

Expected Behaviour:

Pi-hole v6 uses my supplied self-signed certificate in the provided path

Actual Behaviour:

Web UI server does not start, logs say “ Error initializing SSL context”

Debug Token:

I have installed the v6 beta in order to set up TLS on my server.
I have a custom solution that signs and renews certificates for my local domains, so I have created a new certificate for Pihole, and directed it to its path using configuration in /etc/pihole/pihole.toml

Problem is, once I do that, the server won’t start…
FTL logs say:

2024-10-25 15:43:24.977 IDT [1323M] INFO: Created SSL/TLS certificate for pi.hole at /home/aransh/Downloads/certificates/domains/pi.hole/server.pem
2024-10-25 15:43:24.977 IDT [1323M] ERROR: Webserver SSL/TLS certificate /home/aransh/Downloads/certificates/domains/pi.hole/server.pem not found or not readable!
2024-10-25 15:43:24.977 IDT [1323M] ERROR: Start of webserver failed!. Web interface will not be available!
2024-10-25 15:43:24.977 IDT [1323M] ERROR: Error: Error initializing SSL context (error code 3.0)
2024-10-25 15:43:24.977 IDT [1323M] ERROR: Hint: Check the webserver log at /var/log/pihole/webserver.log
2024-10-25 15:43:24.978 IDT [1323M] INFO: Blocking status is enabled
2024-10-25 15:43:25.196 IDT [1323/T36348] INFO: Compiled 7 allow and 0 deny regex for 39 clients in 109.5 msec
2024-10-25 15:43:29.112 IDT [1323/T36347] INFO: Received 8/8 valid NTP replies from pool.ntp.org
2024-10-25 15:43:29.112 IDT [1323/T36347] INFO: Time offset: 8.499026e-01 ms (excluded 0 outliers)
2024-10-25 15:43:29.112 IDT [1323/T36347] INFO: Round-trip delay: 3.206372e+00 ms (excluded 0 outliers)
2024-10-25 15:43:30.000 IDT [1323/T36458] INFO: NTP server listening on 0.0.0.0:123 (IPv4)
2024-10-25 15:43:30.000 IDT [1323/T36459] INFO: NTP server listening on :::123 (IPv6)

web server logs say:
[2024-10-25 15:43:24.971 IDT 1323] Initializing HTTP server on port 80,[::]:80,443s,[::]:443s
[2024-10-25 15:43:24.977 IDT 1323] Error initializing SSL context

I tried comparing to the file in "/etc/pihole/tls.pem",
and permissions are all the same, owner/group is same
Only difference I found was that the certificate generated by Pihole has an encrypted private key, but the configuration file only mentions private key and certificate are required in the pem, so I’m lost to what’s missing here…

Aran_Shavit · October 25, 2024, 3:18pm

Update - placing the certificate under “/etc/pihole/tls.pem”, it works as expected
So, I guess the problem is just path? Can I not point to a certificate in an external path on my filesystem?

NGr · October 25, 2024, 3:47pm

Did you set the appropriate permissions on the directory/file?

Aran_Shavit · October 25, 2024, 6:30pm

Yup, see my last paragraph

DL6ER · October 25, 2024, 6:45pm

This means that the check if this file is (a) accessible and (b) readable failed.

You can. But please bear in mind that pihole-FTL runs as the entirely unprivileged user pihole. Every single step in your custom path /home/aransh/Downloads/certificates/domains/pi.hole/server.pem must be accessible either for world or the user pihole needs to be member of the groups owning these directories.

Most likely, the issue is already that the user pihole cannot see what is inside your home directory /home/aransh due to missing permissions.

Aran_Shavit · October 25, 2024, 7:53pm

Hmmmmm…. I see, so permissions to the pem file isn’t enough, it needs access to the whole path.
In that case, a symbolic link placed in a directory it can access should work, right?

I’ll try and play around with it, but that already explains what I’ve missed, thanks!

DL6ER · October 25, 2024, 7:59pm

No, I'm afraid it won't. A symbolic link is really nothing else than a pointer "look in this other place". If whoever is opening the symbolic link is not able to able to place the symbolic link is pointing to, then you end up in exactly the same situation. Permission bits on the symbolic links themselves are irrelevant, and everything you do on them (may it be chmod, etc.) will simply act as if it was performed against the target of the symbolic link itself.

Probably best to put the file either a commonly accessible location somewhere on your machine, or, if you are forced to use the place the file is currently it, it should be sufficient to make the user pihole a member of group arnash. But I have never tried this myself.

Aran_Shavit · October 25, 2024, 10:27pm

Thanks @DL6ER
Was able to resolve this with the info you provided, maybe best to note this permissions info in the toml file as it wasn’t very clear (maybe something as small as “underprivileged pihole user must be able to read this file”), but happy I got it working now

yubiuser · October 26, 2024, 7:20am

github.com/pi-hole/FTL

Amend the help text of the tls certificate

pi-hole:development ← pi-hole:tweak/cert_help

opened 07:19AM - 26 Oct 24 UTC

yubiuser

+1 -1

**What does this PR aim to accomplish?:** Improve the help text of the `webs…erver.tls.cert` config. Fixes https://discourse.pi-hole.net/t/v6-self-signed-certificate-issues/73640 --- **By submitting this pull request, I confirm the following:** 1. I have read and understood the [contributors guide](https://docs.pi-hole.net/guides/github/contributing/), as well as this entire template. I understand which branch to base my commits and Pull Requests against. 2. I have commented my proposed changes within the code and I have tested my changes. 3. I am willing to help maintain this change if there are issues with it later. 4. It is compatible with the [EUPL 1.2 license](https://opensource.org/licenses/EUPL-1.1) 5. I have squashed any insignificant commits. ([`git rebase`](http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html)) 6. I have checked that another pull request for this purpose does not exist. 7. I have considered, and confirmed that this submission will be valuable to others. 8. I accept that this submission may not be used, and the pull request closed at the will of the maintainer. 9. I give this submission freely, and claim no ownership to its content. --- - [x] I have read the above and my PR is ready for review. *Check this box to confirm*

system · November 16, 2024, 7:20am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.