Help with instaling LE on Rasp-Pi Pi-Hole breaks lighttpd

Hello community, I am trying to setup LE on RaspBi running pi-hole.
I've used certbot to grab the files.
Had a few issues with A records and then permissions (think I was runnning the wrong command.)

Anyway I've now got the certs generated but my lighttpd service wont start when I have my external.conf file in the /etc/lighttpd/ folder

My domain is:
pihole.knobheads.xyz

I ran this command:
certbot certonly --webroot -w /var/www/html -d pihole.knobheads.xyz -d www.pihole.knobheads.xyz
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pihole.knobheads.xyz
http-01 challenge for www.pihole.knobheads.xyz
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem
   Your cert will expire on 2022-09-11. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version):

pi@pi-hole:~ $ lighttpd -v
lighttpd/1.4.45 (ssl) - a light and fast webserver
Build-Date: Jan 14 2017 21:07:19

The operating system my web server runs on is (include version):

pi@pi-hole:~ $ uname -a
Linux pi-hole 4.14.69-v7+ #1141 SMP Mon Sep 10 15:26:29 BST 2018 armv7l GNU/Linux

My hosting provider, if applicable, is:
NA
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

pi@pi-hole:~ $ certbot --version
certbot 0.28.0

I am trying to get SSL installed on my Raspberry Pi running Pi-Hole.

Ive got the certs generated but something has happened to my external.conf file that seems to stop lighttpd from running.
Here is is the contents of external.conf

$HTTP["host"] == "pihole.knobheads.xyz" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/conf.pem"
    ssl.ca-file =  "/etc/letsencrypt/live/pihole.knobheads.xyz/intermediate.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-compression = "disable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

I followed this guide:

I modified the path to the pem files as they where originally pointing to /home/pi/

If I rename my external.conf to external.conf.bak then lighttpd will run.

Can some kind soul please help get this working?

    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.privkey = "/etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem"

:wink:

2 Likes

I've now got lighttpd service to start with the external.conf file.
I needed to create a combined.pem file as thats what lighttpd expects.

However browsing to https://pihole.knobheads.xyz or pihole.knobheads.xyz:443 fails to load.
Also trying to browse on port 80 also fails.

You don't. You just have to tell it ssl.pemfile and ssl.privkey separately.

If you do create some file like that, you have to automatize that file creation because the file will need to be changed on each certificate renewal. It's one more thing that can get broken.

It doesn't. It redirects to 443 as it should. Check your firewall on port 443.

3 Likes

Hi 9peppe,

Thanks for your help.

It seems my remote connection is no longer working. I'll have to wait for the wife to get home and turn everything off and back on again...

I created the combined file as thats what the instructions here stated. Granted its over 4 years old.

So if I dont want to use the combined.pem to minimze breakages would I need it look like

External.conf
$HTTP["host"] == "pihole.knobheads.xyz" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem"
**    s**sl.ca-file =  "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-compression = "disable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

I checked my firewall\nat and port 443 is forwarded to my pihole server

no.

  • ssl.pemfile goes to fullchain.pem
  • ssl.privkey goes to privkey.pem
  • ssl.ca-file gets removed

If your version of lighttpd is too old, you do instead:

  • ssl.pemfile goes to cert.pem
  • ssl.privkey goes to privkey.pem
  • ssl.ca-file goes to chain.pem
3 Likes

Good morning

Remote access now restored :smiley:

With my external.conf as

 # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.privkey = "/etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem
#    ssl.ca-file = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"

lighttpd will not start, Also will not start when:

# Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/cert.pem"
    ssl.privkey = "/etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem
    ssl.ca-file = "/etc/letsencrypt/live/pihole.knobheads.xyz/chain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"

With external.conf as:

 # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/combined.pem"
 #   ssl.privkey = "/etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem
    ssl.ca-file = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"

lighttpd service will start

However I still cannot browse to it via https. http does indeed forward to https.
but the page fails to load
If I goto www.pihole.knobheads.xyz that works.

I have tried changing the port in lighttpd.conf to 443 but that wouldnt get the page loading either.

This version of lighttpd is too old to support the ssl.privkey directive (only available on 1.4.53 and up).

For this version you must give it both the certificate chain and the private key in a single file (via ssl.pemfile). Certbot does not provide such a file by itself, you will have to build it yourself by concatenating fulllchain and privkey.

2 Likes

I am not sure if these ciphers are actually supported by your lighttpd/openssl combo.

please go here and fill out the actual versions: Mozilla SSL Configuration Generator

as in

certbot --cert-name "$SOMETHING" --deploy-hook "cat $RENEWED_LINEAGE/cert.pem $RENEWED_LINEAGE/privkey.pem > /some/other/directory/combined.pem && service lighttpd reload"

I am not actually sure if lighttpd will like fullchain or wants just leaf and key.

1 Like

so I do need to use the combined.pem file as per:

# Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/combined.pem"
 #   ssl.privkey = "/etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem
    ssl.ca-file = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"

With the above config lighttpd will start but cannot get the webpage to load.

I noticed a typo in my external.conf (missing closing ")
so with:

 # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.privkey = "/etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem" <--That " was missing
 #   ssl.ca-file = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"

lighttpd still wont start but using
root@pi-hole:/home/pi# /usr/sbin/lighttpd -tt -f /etc/lighttpd/external.conf; echo $?
Gives the below result
2022-06-14 05:19:32: (configfile.c.1480) a default document-root has to be set
2022-06-14 05:19:32: (server.c.881) setting default values failed
255

and if I run:
root@pi-hole:/home/pi# /usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf; echo $?

I get

2022-06-14 05:22:20: (network.c.633) SSL: couldn't read private key from '/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem'
255

At risk of stating the obvious, the easy solution is to upgrade your software :wink:

1 Like

I was just about to ask if I can update lighttpd without it breaking pi-hole

You can probably update pi-hole entirely.

It looks like pi-hole installs lighttpd from the system repositories. pi-hole/basic-install.sh at master · pi-hole/pi-hole · GitHub

(tldr: to update lighttpd and pi-hole, you have to upgrade your raspbian)

1 Like

I tried to update my RasPi
It ran through everything asking the odd question about changed files.
Then through an error at the end (having some DNS issues as cloudflared tunnel not starting either so modded DNS entry so that it can do lookups)

Running hooks in /etc/ca-certificates/update.d...
done.
W: Operation was interrupted before it could finish

OS version is still the same 4.14.69-v7+
However lighttpd has update to 4.45
I changed the ssl section of external.conf to

    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.privkey = "/etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem"
 #   ssl.ca-file = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"

Tried to restart lighttpd and got an error.
Ran:
root@pi-hole:/# /usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf; echo $?
2022-06-14 13:01:40: (network.c.633) SSL: couldn't read private key from '/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem'

Then I ran
root@pi-hole:/# /usr/sbin/lighttpd -tt -f /etc/lighttpd/external.conf; echo $?
2022-06-14 13:02:29: (configfile.c.1480) a default document-root has to be set
2022-06-14 13:02:29: (server.c.881) setting default values failed

HAHAHAHA

A reboot a firmware upgrade and another reboot and its all working :dancing_men:

Thank you @9peppe and @Nummer378 for your help. It has been invaluable and I've learnt a great deal.

Just hope it stays in the grey mush in my head...

2 Likes

just need to figure out how to redirect the landing page from /var/www/html/index.lighttpd.html to /var/www/html/admin/indexphp

Would also like to redirect www. to https as that still works though I could just change the server port

My external.conf still uses the combined.pem file instead of the correct file names too.

In one of my first posts there's a link to the lighttpd wiki. If there's information around, it's there. (Not on that page specifically, that's for TLS)

2 Likes