search

LunarWatcher / lunarwatcher.github.io

Source for my website
https://lunarwatcher.github.io/
Other
4 stars 1 forks source link

posts/2020/05/14/setting-up-ssl-with-pihole-without-a-fqdn #29

Open utterances-bot opened 3 years ago

utterances-bot commented 3 years ago

Setting up SSL with pihole, without a FQDN | LunarWatcher

https://lunarwatcher.github.io/posts/2020/05/14/setting-up-ssl-with-pihole-without-a-fqdn.html

plethora9 commented 3 years ago

This article looked promising but it is incomplete. The scripts are listed but there are no instructions on how they should be saved or ran. I am a novice so the instructions need to be exact for me.

LunarWatcher commented 3 years ago

@Evan193 if you're referring to the shell scripts, their exact location isn't listed because it doesn't matter.

As you can tell from anything with a path referring to a cert, the SSL certs need to be thrown in /etc/sslcerts. I don't remember atm if that was an arbitrary decision or not.

I did vaguely mention this on the first script:

Personally, I chucked this script, along with the certificates, into /etc/sslcerts (mkdir it if it doesn’t exist).

Because again, the location of the script itself is irrelevant. As long as the certificates end up in /etc/sslcerts, pihole doesn't care. The script is for your ease of generation, and not for some obscure pihole use.

It's a shell script (which I'll clarify when I'm actually awake), which means you can either copy-paste the commands and make necessary changes, or make a sh-file (and again make the necessary changes), and run it: https://askubuntu.com/questions/38661/how-do-i-run-sh-scripts

I didn't include this because I assume some familiarity with Linux (read: basic command line understanding, and understanding what shell files are and how they can be executed)

plethora9 commented 3 years ago

Thanks for the reply. I eventually figured it out. I copied your OpenSSL script to sslmake.sh. I had to run bash ./sslmake.sh in order for it to run. I was expecting to just type ./sslmake.sh but it didn’t work. I’ll do the same for sslrenew.sh when the time comes. As for copying the ca.crt.pem to windows for Firefox import, I installed samba with cifs-utils and then mounted the windows share to /mnt/share. My apologies, I tend to get frustrated easily when told to look elsewhere for some of the steps that are determined to be common knowledge. I have a learning disability so I try to learn only what is needed to complete the task.

Meryl commented 2 years ago

Lighttpd won't start, apparently there are issues with mod_openssl.so not being available. Too bad, I like self-signed certs better than no certs :(

LunarWatcher commented 2 years ago

That just sounds like missing dependencies. Not sure what dependency it is, but if I'd have to take a guess, I'd assume libopenssl. You could probably check with your package manager, if you have one that let's you search for files

sheeepdev commented 2 years ago

For some odd reason, the web interface is throwing out a SSL_ERROR_INTERNAL_ERROR_ALERT. I can't seem to solve it. The only thing I changed is that i removed the "unknown" stuff from the script (put in my own info)

jon-jm commented 2 years ago

Eher missing dependency had, an others probably to ist lighttpd-mod-openssl.

  1. install it via sudo apt install lighttpd-mod-openssl
  2. Within the /etc/lighttpd/external.conf add before(!) the $HTTP["host"]-block
 server.modules += (
     "mod_openssl"
 )

mod_openssl was onece included and loaded automatically, but it isn't anymore.

See here for further details: https://discourse.pi-hole.net/t/ssl-for-pi-hole-web-interface-not-working/55937/4

On a side note the lines with ssl.use-sslv2 and ssl.use-sslv3 can be deleted, since those are deprecated.

sheeepdev commented 2 years ago

For some odd reason, the web interface is throwing out a SSL_ERROR_INTERNAL_ERROR_ALERT. I can't seem to solve it. The only thing I changed is that i removed the "unknown" stuff from the script (put in my own info)

If anyone faces this issue, the way I fixed it is by removing ssl.ca-file property from the external.conf

jogerj commented 1 year ago

Might be outdated settings, but by the end of the day this is what my external.conf look like

server.modules += ( "mod_openssl" )

$HTTP["host"] == "pihole.lan" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/sslcerts/combined.pem"
    ssl.ca-file =  "/etc/sslcerts/ca.crt.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

took bits from official guide and what others suggested. The only issue I couldn't figure out was accessing using http://pihole.lan would redirect to https correctly but using the ip address e.g. http://192.168.0.2 won't redirect, in fact accessing https://192.168.0.2 would result in SSL_ERROR_INTERNAL_ERROR_ALERT

LunarWatcher commented 1 year ago

Yeah, some other comments pointed out that too. I recently reinstalled Raspbian, which wiped the SSL settings, meaning I have to reconfigure SSL. Revising the post as part of that is on my backlog as well