Blog

Install Letsencrypt SSL into Pi-Hole Server


Create A hostname record in your domain

We should create A Hostname Record in your Domain Panel, for example of mine, i add a hostname record on Cloudflare


I use Ubuntu 18.04 to install Pihole and here the steps to install Letsencrypt into the box.

apt-get install letsencrypt

After install Letsencrypt into the box, you can continue the steps below:
Certificates will be issued by Let’s Encrypt

letsencrypt certonly --webroot -w /var/www/html -d example.com --dry-run
  • letsencrypt certonly –webroot -w /var/www/html -d example.com –dry-run replacing example.com with your domain. You can use -d multiple times if you have multiple domains (like www.example.com and example.com). This’ll take a while the first time as it installs all the bits and pieces it needs.
  • Did everything look good? If it issued a certificate, great! If not, don’t proceed until you fix whatever went wrong. Odds are it failed to validate… you are using a real domain name, one the letsencrypt servers can resolve, right?
  • Run the command again, this time without  –dry-run so you get a real certificate.
  • Create combined certificate
cd /etc/letsencrypt/live/example.com/ and  cat privkey.pem cert.pem > combined.pem 

Edit  /etc/lighttpd/external.conf and add:

$HTTP["host"] == "pihole.example.com" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/example.com/combined.pem"
    ssl.ca-file =  "/etc/letsencrypt/live/example.com/chain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}
systemctl restart lighttpd
  • If I didn’t forget any [more] steps, it should be working. Now, let’s automate renewals since Let’s Encrypt certificates are only good for 90 days.
  • Add the following to the end of /etc/crontab (it’s one long line), replacing the first number with a random number between 0 and 59, and the second number with the hour you want the renew to happen.
47 5 * * * root /root/certbot-auto renew --quiet --no-self-upgrade --renew-hook "cat \$RENEWED_LINEAGE/privkey.pem \$RENEWED_LINEAGE/cert.pem > \$RENEWED_LINEAGE/combined.pem;systemctl reload-or-try-restart lighttpd"

Add IPv6 to Pi-Hole

  • When I initially set up my Pi-Hole, I only had IPv4 on my system. Thus Pi-Hole only downloaded IPv4-capable blacklists.
  • So I turned IPv6 on on my home router, and enabled DHCPv6.
  • I turned IPv6 on on my Pi-Hole computer, and rebooted. ip -o addr then showed that I had an IPv6 address. Actually, it has a couple of addresses which I don’t understand yet.
  • It still didn’t block IPv6 domain names.
  • I went into my computer (command line), and edited /etc/pihole/setupVars.conf. There I inserted my IPv6 address at IPV6_ADDRESS=2600:1700:(etc)
  • I also edited /etc/pihole/pihole-FTL.conf, and added AAAA_QUERY_ANALYSIS=yes.
  • I restarted pihole-FTL with: systemctl restart pihole-FTL
  • I went to the Pi-Hole web gui, and turned on DHCPv6 (SLAAC + RA). I turned on the Google IPv6 DNS checkboxes.
  • I rebooted my system.
  • I downloaded the blacklists again. This time it included IPv6 entries.