Enabling SSL for Pi-Hole Admin Interface (lighttpd)

This video is outdated after I found updating Pi-hole will overwrite the SSL config. The new video showing updated steps can be found at: https://youtu.be/yUdmBGe9wYA

Prerequisites

Create Your SSL Certificate

  1. Launch XCA
  2. Open the PKI database if it is not already (File > Open DataBase), enter password
  3. Click on the Certificates tab, right click on your Intermediate CA certificate
  4. Select New
  5. On the Source tab, make sure Use this Certificate for signing is selected
  6. Verify your Intermediate CA certificate is selected from the drop down
  7. Click the Subject tab
  8. Complete the Distinguished Name section

    internalName: Pi-Hole SSL
    countryName: US
    stateOrProvinceName: Virginia
    localityName: Northern
    organizationName: i12bretro
    organizationUnitName: i12bretro Certificate Authority
    commonName: pihole.i12bretro.local

  9. Click the Generate a New Key button
  10. Enter a name and set the key size to at least 2048
  11. Click Create
  12. Click on the Extensions tab
  13. Select End Entity from the type list
  14. Click Edit next to Subject Alternative Name
  15. Add any DNS or IP addresses that the certificate will identify
  16. Update the validity dates to fit your needs
  17. Click the Key Usage tab
  18. Under Key Usage select Digital Signature, Key Encipherment
  19. Under Extended Key Usage select Web Server and Web Client Authentication
  20. Click the Netscape tab
  21. Select SSL Server
  22. Click OK to create the certificate

Exporting Required Files

  1. In XCA, click on the Certificates tab
  2. Right click the Intermediate CA certificate > Export > File
  3. Set the file name with a .pem extension and verify the export format is PEM chain (*.pem)
  4. Click OK
  5. Right click the SSL certificate > Export > File
  6. Set the file name with a .pem extension and verify the export format is PEM + Key (*.pem)
  7. Click OK

Applying the Certificates

  1. Download PuTTY Download
  2. Connect to the Raspberry Pi via PuTTY
    1. If SSH is not enabled on the Raspberry Pi, enable it using Raspberry Pi Config
    2. Launch PuTTY
    3. Input the Raspberry Pi hostname or IP address
    4. Click Connect
  3. Install xrdp to simplify administration by running the following command
    sudo apt-get install xrdp
  4. Connect to the Raspberry Pi via Remote Desktop Client
  5. Copy the certificates exported above to the Pi
  6. Copy the certificates exported above to /etc/lighttpd
    cp /home/pi/Downloads/PiHole.pem /etc/lighttpd
    cp /home/pi/Downloads/ca-chain.pem /etc/lighttpd
  7. Edit lighttpd.conf
    mousepad
  8. File > Open /etc/lighttpd/lighttpd.conf
  9. Add "mod_openssl" to server.modules
  10. Add the following lines

    server.name = "pihole.i12bretro.local"
    server.port = 443
    ssl.engine = "enable"
    ssl.pemfile = "PiHole.pem"
    ssl.ca-file = "ca-chain.pem"

  11. File > Save > /home/pi/Downloads/lighttpd.conf
  12. In terminal, paste the following commands
    cp /home/pi/Downloads/lighttpd.conf /etc/lighttpd
    service lighttpd restart
  13. Open a web browser and navigate to PiHole via https://