Je kunt heel eenvoudig je Let’s Encrypt certificaten voor de web interface van Pi-Hole gebruiken. Voer hiervoor de volgende acties uit:

  1. Maak een cron job (update wekelijks) aan die je live certficaten van Let’s Encrypt klaarzet voor gebruik in Pihole. In onderstaande commando is ‘/mnt/Pihole’ de root-share van mijn Raspberry Pi waarop Pi-Hole draait):
    Plain text
    Copy to clipboard
    Open code in new window
    EnlighterJS 3 Syntax Highlighter
    cd /etc/letsencrypt/live/ && cp privkey.pem /mnt/Pihole/home/pi/conf.pem && cat cert.pem >> /mnt/Pihole/home/pi/conf.pem && cp fullchain.pem /mnt/Pihole/home/pi/intermediate.pem
    cd /etc/letsencrypt/live/ && cp privkey.pem /mnt/Pihole/home/pi/conf.pem && cat cert.pem >> /mnt/Pihole/home/pi/conf.pem && cp fullchain.pem /mnt/Pihole/home/pi/intermediate.pem
    cd /etc/letsencrypt/live/ && cp privkey.pem /mnt/Pihole/home/pi/conf.pem && cat cert.pem >> /mnt/Pihole/home/pi/conf.pem && cp fullchain.pem /mnt/Pihole/home/pi/intermediate.pem
  2. Creëer de file ‘/etc/lighttpd/external.conf’ en voeg hieraan de volgende inhoud toe (eerst regel naar jouw domein veranderen): 
    Plain text
    Copy to clipboard
    Open code in new window
    EnlighterJS 3 Syntax Highlighter
    $HTTP["host"] == "<jouw-domein>" {
    # Ensure the Pi-hole Block Page knows that this is not a blocked domain
    setenv.add-environment = ("fqdn" => "true")
    # Enable the SSL engine with a LE cert, only for this specific host
    $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/home/pi/conf.pem"
    ssl.ca-file = "/home/pi/intermediate.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-compression = "disable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    }
    # Redirect HTTP to HTTPS
    $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
    url.redirect = (".*" => "https://%0$0")
    }
    }
    }
    $HTTP["host"] == "<jouw-domein>" { # Ensure the Pi-hole Block Page knows that this is not a blocked domain setenv.add-environment = ("fqdn" => "true") # Enable the SSL engine with a LE cert, only for this specific host $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/home/pi/conf.pem" ssl.ca-file = "/home/pi/intermediate.pem" ssl.honor-cipher-order = "enable" ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" ssl.use-compression = "disable" ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" } # Redirect HTTP to HTTPS $HTTP["scheme"] == "http" { $HTTP["host"] =~ ".*" { url.redirect = (".*" => "https://%0$0") } } }
    $HTTP["host"] == "<jouw-domein>" {
      # Ensure the Pi-hole Block Page knows that this is not a blocked domain
      setenv.add-environment = ("fqdn" => "true")
    
      # Enable the SSL engine with a LE cert, only for this specific host
      $SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/home/pi/conf.pem"
        ssl.ca-file =  "/home/pi/intermediate.pem"
        ssl.honor-cipher-order = "enable"
        ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
        ssl.use-compression = "disable"
        ssl.use-sslv2 = "disable"
        ssl.use-sslv3 = "disable"
      }
    
      # Redirect HTTP to HTTPS
      $HTTP["scheme"] == "http" {
        $HTTP["host"] =~ ".*" {
          url.redirect = (".*" => "https://%0$0")
        }
      }
    }
  3. Herstart nu je lighttpd service:
    Plain text
    Copy to clipboard
    Open code in new window
    EnlighterJS 3 Syntax Highlighter
    sudo service lighttpd restart
    sudo service lighttpd restart
    sudo service lighttpd restart

Je zult zien dat indien je nu via internet (HTTPS) naar jouw Pi-Hole web-interface gaat dat de verbinding beveiligd is met je Let’s Encrypt certificaten.

Update 22 Januari 2022

Indien je Debian ‘bullseye’ draait dan moet je eventueel nog ‘mod-openssl’ installeren omdat deze niet meer default geïnstalleerd wordt. Voer hiervoor het volgende commando uit:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
sudo apt-get install lighttpd-mod-openssl
sudo apt-get install lighttpd-mod-openssl
sudo apt-get install lighttpd-mod-openssl

Zet verder bovenaan in de file ‘/etc/lighttpd/external.conf’ de volgende regel:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
server.modules += ( "mod_openssl" )
server.modules += ( "mod_openssl" )
server.modules += ( "mod_openssl" )