Pi-hole v6 was recently released and adds support for HTTPS. In /etc/pihole/pihole.toml under the webserver.tls configuration block, the documentation mentions that Pi-hole expects the certificate and the key in the same .pem file.
Below is the relevant bit from pihole.toml
[webserver.tls] # Path to the TLS (SSL) certificate file. All directories along the path must be # readable and accessible by the user running FTL (typically 'pihole'). This option is # only required when at least one of webserver.port is TLS. The file must be in PEM # format, and it must have both, private key and certificate (the *.pem file created # must contain a 'CERTIFICATE' section as well as a 'RSA PRIVATE KEY' section). # The *.pem file can be created using # cp server.crt server.pem # cat server.key >> server.pem # if you have these files instead # # Possible values are: # <valid TLS certificate file (*.pem)> cert = "/etc/pihole/tls.pem"
At the time of writing I have not found an acme.sh deploy hook that would deploy the .pem that Pi-hole wants. I started to write one and may upstream it. Until then, we will do this manually.
acme.sh produces a fullchain.cer and a *.key so we create the .pem file with the following:
cd /var/lib/acme.sh/pi-hole.example.net
cat fullchain.cer pi-hole.example.net.key > /etc/pihole/tls.pemRestart FTL with the following systemctl restart pihole-FTL and now the Pi-hole admin console should be secured with a certificate obtained via your favorite ACME client.
CERTIFICATE_DOMAIN_MISMATCH
I am not using Pi-hole for DHCP and I am using a different domain for Pi-hole in this network (i.e. pi-hole.example.net).
Pi-hole will throw a CERTIFICATE_DOMAIN_MISMATCH warning (?) with the following message
SSL/TLS certificate /etc/pihole/tls.pem does not match domain pi.hole!
We can either ignore the warning or update the config. In the admin console:
- Settings
- All settings
- Toggle the toggle at the top such that we see All Settings
- Webserver and API
- Update the value such that is is no longer
pi.hole