Install Letsencrypt SSL into Pi-Hole Server

Create A hostname record in your domain

We should create A Hostname Record in your Domain Panel, for example of mine, i add a hostname record on Cloudflare

I use Ubuntu 18.04 to install Pihole and here the steps to install Letsencrypt into the box.

apt-get install letsencrypt

After install Letsencrypt into the box, you can continue the steps below:
Certificates will be issued by Let’s Encrypt

letsencrypt certonly --webroot -w /var/www/html -d --dry-run
  • letsencrypt certonly –webroot -w /var/www/html -d –dry-run replacing with your domain. You can use -d multiple times if you have multiple domains (like and This’ll take a while the first time as it installs all the bits and pieces it needs.
  • Did everything look good? If it issued a certificate, great! If not, don’t proceed until you fix whatever went wrong. Odds are it failed to validate… you are using a real domain name, one the letsencrypt servers can resolve, right?
  • Run the command again, this time without  –dry-run so you get a real certificate.
  • Create combined certificate
cd /etc/letsencrypt/live/ and  cat privkey.pem cert.pem > combined.pem 

Edit  /etc/lighttpd/external.conf and add:

$HTTP["host"] == "" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/" =  "/etc/letsencrypt/live/"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
systemctl restart lighttpd
  • If I didn’t forget any [more] steps, it should be working. Now, let’s automate renewals since Let’s Encrypt certificates are only good for 90 days.
  • Add the following to the end of /etc/crontab (it’s one long line), replacing the first number with a random number between 0 and 59, and the second number with the hour you want the renew to happen.
47 5 * * * root /root/certbot-auto renew --quiet --no-self-upgrade --renew-hook "cat \$RENEWED_LINEAGE/privkey.pem \$RENEWED_LINEAGE/cert.pem > \$RENEWED_LINEAGE/combined.pem;systemctl reload-or-try-restart lighttpd"

This site uses Akismet to reduce spam. Learn how your comment data is processed.