By default, the Pi-hole web interface runs on HTTP, including the web admin panel URL. I want to secure the Pi-hole password with HTTPS when entering in the web browser. To enable HTTPS, I need a SSL certificate. My options are creating a self-signed SSL certificate, buying a retail SSL certificate from a public CA, or using Let’s Encrypt free SSL certificate.
For the home setup, the Let’s Encrypt SSL certificate is a perfect fit. The certificate works all the major web browsers, so no security warning in the browser; and it’s free. Just need to renew it every 90 days.
Before proceeding the following instruction, make sure you meet these two perquisites.
1. You own a public domain name.
2. You have the access to modify the public DSN setting of your domain name. The instruction on how to do this varies from the DNS hosting vendor. Please consult with your DNS hosting vendor for the detail.
1. Issue Let’s Encrypt SSL certificate
Let’s Encrypt recommends the Certbot ACME client to automate the issuance and installation. Because I don’t want my Pi-hole web interface accessible on the internet. I have to run Certbot with the manual option to issue the certificate. Here is how I do that.
- Login my pi-hole via SSH
- Install Certbot
- $ sudo apt install certbot
- Run certbot to issue a certificate for Pi-hole FQDN. In my example, the FQND is pihole.sfitpro.com.
- $ sudo certbot certonly --manual --preferred-challenges dns --cert-name pihole.sfitpro.com -d pihole.sfitpro.com
- During this process, certbot will prompt to add a DNS TXT record “_acme-challenge.pihole.sfitpro.com” with the value created by certbot.
- Login my domain name DNS hosting site and add a “_acme-challenge.pihole.sfitpro.com” TXT record with the provided value to verify my ownership of the domain name.
- After the TXT record is added, continue with certbot to finish the certificate issuance.
- The private key and issued certificate are saved in /etc/letsencrypt/live/.
2. Enable HTTPS on Pi-hole web interface
- Create a file called combined.pem in the Let’s Encrypt certificate directory
- $ sudo su
- $ cd /etc/letsencrypt/live/pihole.sfitpro.com/
- $ cat privacy.pem cert.perm | tee combined.pem
- Ensure the lighttpd user (www-data) can read the certificates
- $ sudo chown www-data -R /etc/letencrypt/live
- Create a file called external.conf in /etc/lighttpd/ with the following content
$HTTP["host"] == "pihole.sfitpro.com" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/pihole.sfitpro.com/combined.pem"
ssl.ca-file = "/etc/letsencrypt/live/pihole.sfitpro.com/fullchain.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
- Restart the lighttpd service
- $ sudo systemctl restart lighttpd
3. Add the Pi-hole FQDN on Pi-hole
- Create a file called lan.list in /etc/pihole/
- Add the following to the file
- <pi-hole-ip-address> <pi-hole-fqdn>
- e.g. 192.168.1.19 pihole.sfitpro.com
- Create a second dnsmasq config file called 02-lan.conf in /etc/dnsmasq.d/
- Add the following to the file to reference the lan.list file created above
- addn-hosts=/etc/pihole/lan.list
- Restart the DNS service on pi-hole$ sudo pihole restartdns
- $ sudo pihole restartdns
Now when entering the Pi-hole FQDN in the browser, it will be redirected to the HTTPS page with a valid SSL certificate.