Open utterances-bot opened 3 years ago
This article looked promising but it is incomplete. The scripts are listed but there are no instructions on how they should be saved or ran. I am a novice so the instructions need to be exact for me.
@Evan193 if you're referring to the shell scripts, their exact location isn't listed because it doesn't matter.
As you can tell from anything with a path referring to a cert, the SSL certs need to be thrown in /etc/sslcerts. I don't remember atm if that was an arbitrary decision or not.
I did vaguely mention this on the first script:
Personally, I chucked this script, along with the certificates, into /etc/sslcerts (mkdir it if it doesn’t exist).
Because again, the location of the script itself is irrelevant. As long as the certificates end up in /etc/sslcerts, pihole doesn't care. The script is for your ease of generation, and not for some obscure pihole use.
It's a shell script (which I'll clarify when I'm actually awake), which means you can either copy-paste the commands and make necessary changes, or make a sh
-file (and again make the necessary changes), and run it: https://askubuntu.com/questions/38661/how-do-i-run-sh-scripts
I didn't include this because I assume some familiarity with Linux (read: basic command line understanding, and understanding what shell files are and how they can be executed)
Thanks for the reply. I eventually figured it out. I copied your OpenSSL script to sslmake.sh. I had to run bash ./sslmake.sh in order for it to run. I was expecting to just type ./sslmake.sh but it didn’t work. I’ll do the same for sslrenew.sh when the time comes. As for copying the ca.crt.pem to windows for Firefox import, I installed samba with cifs-utils and then mounted the windows share to /mnt/share. My apologies, I tend to get frustrated easily when told to look elsewhere for some of the steps that are determined to be common knowledge. I have a learning disability so I try to learn only what is needed to complete the task.
Lighttpd won't start, apparently there are issues with mod_openssl.so not being available. Too bad, I like self-signed certs better than no certs :(
That just sounds like missing dependencies. Not sure what dependency it is, but if I'd have to take a guess, I'd assume libopenssl. You could probably check with your package manager, if you have one that let's you search for files
For some odd reason, the web interface is throwing out a SSL_ERROR_INTERNAL_ERROR_ALERT. I can't seem to solve it. The only thing I changed is that i removed the "unknown" stuff from the script (put in my own info)
Eher missing dependency had, an others probably to ist lighttpd-mod-openssl.
sudo apt install lighttpd-mod-openssl
/etc/lighttpd/external.conf
add before(!) the $HTTP["host"]-block server.modules += (
"mod_openssl"
)
mod_openssl was onece included and loaded automatically, but it isn't anymore.
See here for further details: https://discourse.pi-hole.net/t/ssl-for-pi-hole-web-interface-not-working/55937/4
On a side note the lines with ssl.use-sslv2
and ssl.use-sslv3
can be deleted, since those are deprecated.
For some odd reason, the web interface is throwing out a SSL_ERROR_INTERNAL_ERROR_ALERT. I can't seem to solve it. The only thing I changed is that i removed the "unknown" stuff from the script (put in my own info)
If anyone faces this issue, the way I fixed it is by removing ssl.ca-file
property from the external.conf
Might be outdated settings, but by the end of the day this is what my external.conf
look like
server.modules += ( "mod_openssl" )
$HTTP["host"] == "pihole.lan" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/sslcerts/combined.pem"
ssl.ca-file = "/etc/sslcerts/ca.crt.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
took bits from official guide and what others suggested. The only issue I couldn't figure out was accessing using http://pihole.lan
would redirect to https correctly but using the ip address e.g. http://192.168.0.2
won't redirect, in fact accessing https://192.168.0.2
would result in SSL_ERROR_INTERNAL_ERROR_ALERT
Yeah, some other comments pointed out that too. I recently reinstalled Raspbian, which wiped the SSL settings, meaning I have to reconfigure SSL. Revising the post as part of that is on my backlog as well
Setting up SSL with pihole, without a FQDN | LunarWatcher
https://lunarwatcher.github.io/posts/2020/05/14/setting-up-ssl-with-pihole-without-a-fqdn.html