Pihole is a DNS filtering and management tool. It can be deployed very easily on a Raspberry Pi, but it can also be used on any standard linux machine (x86 or x64 as well) Pihole gets deployed without any automated SSL certificate signing. If you deploy pihole on your internal network, getting a certificate is very easy with certbot, as long as you have a public domain to certify with.
If you want to install pihole on an x86 server, use this single line script from here
Certbot can be used to fetch SSL certificates, by confirming ownership of the domain. Private IPs will work fine here, but the domain needs to be public. In fact a public DNS record pointing to your host IP is not required at all. The only requirement for verifying domain ownership is creation of a specific TXT record. This is known as the manual method, and requires a specific command.
- You need certbot installed
- You need a public DNS zone you can create records on
Use this command syntax below, and replace the hostname with your own server hostname. This is the name you will use to connect to your Gitlab server. Skip this part if you have already acquired your certificates
- Install certbot on a server, it can be any server, not necessary your pihole server
- Run this command to start the process
certbot certonly --manual -d *.mydomain.ca
- Certbot will ask you questions, and eventually give you an output similar to
Please deploy a DNS TXT record under the name:
_acme-challenge.mydomain.ca.
with the following value:
vqcwGUeQVgpfu-D_TIgHobOZ44o7wUUsSpT9nJBKKs4
-
Create the TXT record on your public domain, as requested by certbot
-
Hit Enter to continue on certbot
-
Certbot will verify the DNS record and give you this output
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mydomain.ca/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mydomain.ca/privkey.pem
This certificate expires on 2024-10-01.
These files will be updated when the certificate renews.
- Grab the 2 certificate files
/etc/letsencrypt/live/mydomain.ca/fullchain.pem/etc/letsencrypt/live/mydomain.ca/privkey.pem
- Copy the certificates to Pihole at these locations
- Make a new dir with
sudo mkdir /etc/lighttpd/ssl/ - Copy privkey.pem and fullchain.pem to
/etc/lighttpd/ssl/
-
Create a new config file
/etc/lighttpd/conf-enabled/external.confand edit it -
Enter the following config, replacing the FQDN with your own
var.fqdn = "gitlab.mydomain.ca"
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
# Public cert and intermediate cert chain
ssl.pemfile = "/etc/lighttpd/ssl/fullchain.pem"
ssl.privkey = "/etc/lighttpd/ssl/privkey.pem"
ssl.ca-file = "/etc/lighttpd/ssl/fullchain.pem"
# Require TLS 1.3
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3")
}
$HTTP["host"] == fqdn {
# Set redirect code for any redirects we do
url.redirect-code = 308
# Redirect all http to https
$HTTP["scheme"] == "http" {
url.redirect = ("" => "https://" + fqdn + "${url.path}${qsa}")
# Redirect root to admin
} else $HTTP["url"] == "/" {
url.redirect = ("" => "/admin/")
}
}
- Restart lighttpd with
sudo service lighttpd restart