Create A hostname record in your domain
We should create A Hostname Record in your Domain Panel, for example of mine, i add a hostname record on Cloudflare

I use Ubuntu 18.04 to install Pihole and here the steps to install Letsencrypt into the box.
apt-get install letsencrypt
After install Letsencrypt into the box, you can continue the steps below:
Certificates will be issued by Let’s Encrypt
letsencrypt certonly --webroot -w /var/www/html -d example.com --dry-run
- letsencrypt certonly –webroot -w /var/www/html -d example.com –dry-run replacing example.com with your domain. You can use -d multiple times if you have multiple domains (like www.example.com and example.com). This’ll take a while the first time as it installs all the bits and pieces it needs.
- Did everything look good? If it issued a certificate, great! If not, don’t proceed until you fix whatever went wrong. Odds are it failed to validate… you are using a real domain name, one the letsencrypt servers can resolve, right?
- Run the command again, this time without –dry-run so you get a real certificate.
- Create combined certificate
cd /etc/letsencrypt/live/example.com/ and cat privkey.pem cert.pem > combined.pem
Edit /etc/lighttpd/external.conf and add:
$HTTP["host"] == "pihole.example.com" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/example.com/combined.pem"
ssl.ca-file = "/etc/letsencrypt/live/example.com/chain.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
systemctl restart lighttpd
- If I didn’t forget any [more] steps, it should be working. Now, let’s automate renewals since Let’s Encrypt certificates are only good for 90 days.
- Add the following to the end of /etc/crontab (it’s one long line), replacing the first number with a random number between 0 and 59, and the second number with the hour you want the renew to happen.
47 5 * * * root /root/certbot-auto renew --quiet --no-self-upgrade --renew-hook "cat \$RENEWED_LINEAGE/privkey.pem \$RENEWED_LINEAGE/cert.pem > \$RENEWED_LINEAGE/combined.pem;systemctl reload-or-try-restart lighttpd"