Webserver - tls.pem suddenly not working ( still valid )

g4njawizard · March 6, 2026, 4:13pm

Expected Behaviour:

Hello, I use pihole installed with the default installation script on a raspberry pi.

This setup worked for almost a year now. Today I noticed that I cannot access the webserver which was working fine. I use a self signed SSL cert which is still valid for a couple of years.

I have not touched my certs in any way so this could be related to the pihole update I made a couple days back.

Actual Behaviour:

Checking the webserver log:

[2026-03-06 11:38:20.912 CET 620] Initializing HTTP server on ports "80o,443os,[::]:80o,[::]:443os" [2026-03-06 11:38:20.926 CET 620] Error initializing SSL context

When I try to verify my TLS cert:

$ sudo pihole-FTL –read-x509

Reading certificate from /etc/pihole/tls.pem ...
No key found
Cannot parse certificate: Error code -15104

My TLS File:

Bag Attributes
friendlyName: piholero
localKeyID: 31 01 92 8E 33 CF 96 DD 7D 50 DD AE CA F1 E9 95 B0 D6 9F 9A
subject=C=DE, ST=BA, L=WUE, O=myorg, emailAddress=orgmail.com, CN=piholero
issuer=C=DE, ST=BA, L=WUE, O=myorg, emailAddress=orgmail.com, CN=intermediate-Opnsense
-----BEGIN CERTIFICATE-----
MIIHizCCBuygAwIBAgIBBTAKBggqhkjOPQQDBDCBijELMAkGA1UEBhMCREUxCzAJ
........
0/EEAXBnbcs7sB5mcxuZ2heUSh7FUMmWSDgk20BDvBpwatFNy8fjUbCtVLRLpdZQ
/E754JAzntMFZkfebSxk
-----END CERTIFICATE-----
Bag Attributes
friendlyName: piholero
localKeyID: 31 01 92 8E 33 CF 96 DD 7D 50 DD AE CA F1 E9 95 B0 D6 9F 9A
Key Attributes:
-----BEGIN PRIVATE KEY-----
MIISQgIBADANBgkqhkiG9w0BAQEFAASCEiwwghIoAgEAAoIEAQCRBnz1diFKKjU+
...
dcE3wNB7Nr1u4lmzXNBZxNhDRZhkbw==
-----END PRIVATE KEY-----

checking the validity:

    Validity
        Not Before: Apr  9 11:21:51 2025 GMT
        Not After : Aug 24 11:21:51 2052 GMT

Debug Token:

Token

g4njawizard · March 7, 2026, 6:45pm

Problem solved.

Created a new cert. Same format, same permissions. Now it’s working. Dont know what happened to the old cert file. Everything was still valid and worked without issues for months.

nero355 · March 8, 2026, 2:21am

Do you actually manually create it or did you just delete it and let Pi-Hole create a new one ?

You see… there is this new rule that’s going to hit us all in the future : TLS Certificate Lifetimes Will Officially Reduce to 47 Days | DigiCert

I don’t know how the Pi-Hole Team is going to do this in the future, but when you create a certificate manually it’s something you should be aware of