posts/2020/05/14/setting-up-ssl-with-pihole-without-a-fqdn about lunarwatcher.github.io HOT 10 OPEN

Eher missing dependency had, an others probably to ist lighttpd-mod-openssl.

1. install it via sudo apt install lighttpd-mod-openssl
2. Within the /etc/lighttpd/external.conf add before(!) the $HTTP["host"]-block

 server.modules += (
     "mod_openssl"
 )

mod_openssl was onece included and loaded automatically, but it isn't anymore.

See here for further details: https://discourse.pi-hole.net/t/ssl-for-pi-hole-web-interface-not-working/55937/4

On a side note the lines with ssl.use-sslv2 and ssl.use-sslv3 can be deleted, since those are deprecated.

from lunarwatcher.github.io.

This article looked promising but it is incomplete. The scripts are listed but there are no instructions on how they should be saved or ran. I am a novice so the instructions need to be exact for me.

from lunarwatcher.github.io.

@Evan193 if you're referring to the shell scripts, their exact location isn't listed because it doesn't matter.

As you can tell from anything with a path referring to a cert, the SSL certs need to be thrown in /etc/sslcerts. I don't remember atm if that was an arbitrary decision or not.

I did vaguely mention this on the first script:

Personally, I chucked this script, along with the certificates, into /etc/sslcerts (mkdir it if it doesn’t exist).

Because again, the location of the script itself is irrelevant. As long as the certificates end up in /etc/sslcerts, pihole doesn't care. The script is for your ease of generation, and not for some obscure pihole use.

It's a shell script (which I'll clarify when I'm actually awake), which means you can either copy-paste the commands and make necessary changes, or make a sh-file (and again make the necessary changes), and run it: https://askubuntu.com/questions/38661/how-do-i-run-sh-scripts

I didn't include this because I assume some familiarity with Linux (read: basic command line understanding, and understanding what shell files are and how they can be executed)

from lunarwatcher.github.io.

Thanks for the reply. I eventually figured it out. I copied your OpenSSL script to sslmake.sh. I had to run bash ./sslmake.sh in order for it to run. I was expecting to just type ./sslmake.sh but it didn’t work. I’ll do the same for sslrenew.sh when the time comes. As for copying the ca.crt.pem to windows for Firefox import, I installed samba with cifs-utils and then mounted the windows share to /mnt/share. My apologies, I tend to get frustrated easily when told to look elsewhere for some of the steps that are determined to be common knowledge. I have a learning disability so I try to learn only what is needed to complete the task.

from lunarwatcher.github.io.

Lighttpd won't start, apparently there are issues with mod_openssl.so not being available. Too bad, I like self-signed certs better than no certs :(

from lunarwatcher.github.io.

That just sounds like missing dependencies. Not sure what dependency it is, but if I'd have to take a guess, I'd assume libopenssl. You could probably check with your package manager, if you have one that let's you search for files

from lunarwatcher.github.io.

For some odd reason, the web interface is throwing out a SSL_ERROR_INTERNAL_ERROR_ALERT. I can't seem to solve it. The only thing I changed is that i removed the "unknown" stuff from the script (put in my own info)

from lunarwatcher.github.io.

For some odd reason, the web interface is throwing out a SSL_ERROR_INTERNAL_ERROR_ALERT. I can't seem to solve it. The only thing I changed is that i removed the "unknown" stuff from the script (put in my own info)

If anyone faces this issue, the way I fixed it is by removing ssl.ca-file property from the external.conf

from lunarwatcher.github.io.

Might be outdated settings, but by the end of the day this is what my external.conf look like

server.modules += ( "mod_openssl" )

$HTTP["host"] == "pihole.lan" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/sslcerts/combined.pem"
    ssl.ca-file =  "/etc/sslcerts/ca.crt.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

took bits from official guide and what others suggested. The only issue I couldn't figure out was accessing using http://pihole.lan would redirect to https correctly but using the ip address e.g. http://192.168.0.2 won't redirect, in fact accessing https://192.168.0.2 would result in SSL_ERROR_INTERNAL_ERROR_ALERT

from lunarwatcher.github.io.

Yeah, some other comments pointed out that too. I recently reinstalled Raspbian, which wiped the SSL settings, meaning I have to reconfigure SSL. Revising the post as part of that is on my backlog as well

from lunarwatcher.github.io.