Closed DL6ER closed 5 months ago
This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:
https://discourse.pi-hole.net/t/pihole-v6-firefox-android/67672/5
Should we add a log line announcing the creation of a CA here
No, it's not even trivial to transport the CA name over there. The vast majority of users will likely add a permanent exception instead of adding the CA certificate. When they want it, the documentation will tell them how - without the need to read any logs.
Should pihole-FTL --read-x509-key read also the tls_ca.crt?
I don't think so. It is a generic tool to reads a certificate. This is still what it does. The CA is independent.
I'm not sure where Pi-hole is located, but it might no be "DE".
In the end it doesn't matter. We can add whatever we want.
What does this implement/fix?
Currently, Pi-hole's mechanism to create a self-signed certificate, well, creates a self-signed certificate. Recent user questions have, however, revealed that there is software (most worth mentioning is Firefox) not liking (as in: explicitly discouraging, sometimes even preventing) the usage of such self-signed certificates. Adding the certificate to said browsers (so the web interface page is considered "safe") is not possible in this case.
This PR changes the way Pi-hole generates the TLS certificate for itself. We go a more traditional way by first creating a (self-signed) root certificate authority (CA) and then using this CA to sign a second certificate we specifically create for the TLS web server. The generated CA is exported to a file and can then be imported into Firefox, Chrome, etc.
If you are using
curl
or friends, nothing changes - you can still use the certificate PEM file as you were used before.Related issue or feature (if applicable): N/A
Pull request in docs with documentation (if applicable): https://github.com/pi-hole/docs/pull/980
By submitting this pull request, I confirm the following:
git rebase
)Checklist:
developmental
branch.