X.509: Create and export CA certificate

[DL6ER]

What does this implement/fix?

Currently, Pi-hole's mechanism to create a self-signed certificate, well, creates a self-signed certificate. Recent user questions have, however, revealed that there is software (most worth mentioning is Firefox) not liking (as in: explicitly discouraging, sometimes even preventing) the usage of such self-signed certificates. Adding the certificate to said browsers (so the web interface page is considered "safe") is not possible in this case.

This PR changes the way Pi-hole generates the TLS certificate for itself. We go a more traditional way by first creating a (self-signed) root certificate authority (CA) and then using this CA to sign a second certificate we specifically create for the TLS web server. The generated CA is exported to a file and can then be imported into Firefox, Chrome, etc.

If you are using curl or friends, nothing changes - you can still use the certificate PEM file as you were used before.

[!NOTE] Pi-hole will not recreate already existing self-signed certificates. If you want to use this new certificates, you will have to run

sudo pihole-FTL --gen-x509 /etc/pihole/tls.pem

to force recreation of the certificate. Possibly with a domain if you want to use a domain different from pi.hole, e.g.

sudo pihole-FTL --gen-x509 /etc/pihole/tls.pem pihole.lan

---

Related issue or feature (if applicable): N/A

Pull request in docs with documentation (if applicable): https://github.com/pi-hole/docs/pull/980

---

By submitting this pull request, I confirm the following:

1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
2. I have commented my proposed changes within the code.
3. I am willing to help maintain this change if there are issues with it later.
4. It is compatible with the EUPL 1.2 license
5. I have squashed any insignificant commits. (git rebase)

Checklist:

• [x] The code change is tested and works locally.
• [x] I based my code and PRs against the repositories developmental branch.
• [x] I signed off all commits. Pi-hole enforces the DCO for all contributions
• [x] I signed all my commits. Pi-hole requires signatures to verify authorship
• [x] I have read the above and my PR is ready for review.

[pralor-bot]

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/pihole-v6-firefox-android/67672/5

[DL6ER]

Should we add a log line announcing the creation of a CA here

No, it's not even trivial to transport the CA name over there. The vast majority of users will likely add a permanent exception instead of adding the CA certificate. When they want it, the documentation will tell them how - without the need to read any logs.

---

Should pihole-FTL --read-x509-key read also the tls_ca.crt?

I don't think so. It is a generic tool to reads a certificate. This is still what it does. The CA is independent.

---

I'm not sure where Pi-hole is located, but it might no be "DE".

In the end it doesn't matter. We can add whatever we want.