Help with instaling LE on Rasp-Pi Pi-Hole breaks lighttpd

Shaunie · June 13, 2022, 9:03am

Hello community, I am trying to setup LE on RaspBi running pi-hole.
I've used certbot to grab the files.
Had a few issues with A records and then permissions (think I was runnning the wrong command.)

Anyway I've now got the certs generated but my lighttpd service wont start when I have my external.conf file in the /etc/lighttpd/ folder

My domain is:
pihole.knobheads.xyz

I ran this command:
certbot certonly --webroot -w /var/www/html -d pihole.knobheads.xyz -d www.pihole.knobheads.xyz
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pihole.knobheads.xyz
http-01 challenge for www.pihole.knobheads.xyz
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem
   Your cert will expire on 2022-09-11. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version):

pi@pi-hole:~ $ lighttpd -v
lighttpd/1.4.45 (ssl) - a light and fast webserver
Build-Date: Jan 14 2017 21:07:19

The operating system my web server runs on is (include version):

pi@pi-hole:~ $ uname -a
Linux pi-hole 4.14.69-v7+ #1141 SMP Mon Sep 10 15:26:29 BST 2018 armv7l GNU/Linux

My hosting provider, if applicable, is:
NA
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

pi@pi-hole:~ $ certbot --version
certbot 0.28.0

I am trying to get SSL installed on my Raspberry Pi running Pi-Hole.

Ive got the certs generated but something has happened to my external.conf file that seems to stop lighttpd from running.
Here is is the contents of external.conf

$HTTP["host"] == "pihole.knobheads.xyz" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/conf.pem"
    ssl.ca-file =  "/etc/letsencrypt/live/pihole.knobheads.xyz/intermediate.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-compression = "disable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

I followed this guide:

I modified the path to the pem files as they where originally pointing to /home/pi/

If I rename my external.conf to external.conf.bak then lighttpd will run.

Can some kind soul please help get this working?

9peppe · June 13, 2022, 10:20am

    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.privkey = "/etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem"

Shaunie · June 13, 2022, 11:09am

I've now got lighttpd service to start with the external.conf file.
I needed to create a combined.pem file as thats what lighttpd expects.

However browsing to https://pihole.knobheads.xyz or pihole.knobheads.xyz:443 fails to load.
Also trying to browse on port 80 also fails.

9peppe · June 13, 2022, 11:41am

You don't. You just have to tell it ssl.pemfile and ssl.privkey separately.

If you do create some file like that, you have to automatize that file creation because the file will need to be changed on each certificate renewal. It's one more thing that can get broken.

It doesn't. It redirects to 443 as it should. Check your firewall on port 443.

Shaunie · June 13, 2022, 2:37pm

Hi 9peppe,

Thanks for your help.

It seems my remote connection is no longer working. I'll have to wait for the wife to get home and turn everything off and back on again...

I created the combined file as thats what the instructions here stated. Granted its over 4 years old.

So if I dont want to use the combined.pem to minimze breakages would I need it look like

External.conf
$HTTP["host"] == "pihole.knobheads.xyz" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem"
**    s**sl.ca-file =  "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-compression = "disable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

I checked my firewall\nat and port 443 is forwarded to my pihole server

9peppe · June 13, 2022, 3:15pm

no.

ssl.pemfile goes to fullchain.pem
ssl.privkey goes to privkey.pem
ssl.ca-file gets removed

If your version of lighttpd is too old, you do instead:

ssl.pemfile goes to cert.pem
ssl.privkey goes to privkey.pem
ssl.ca-file goes to chain.pem

Shaunie · June 14, 2022, 7:44am

Good morning

Remote access now restored

With my external.conf as

 # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.privkey = "/etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem
#    ssl.ca-file = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"

lighttpd will not start, Also will not start when:

# Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/cert.pem"
    ssl.privkey = "/etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem
    ssl.ca-file = "/etc/letsencrypt/live/pihole.knobheads.xyz/chain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"

With external.conf as:

 # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/combined.pem"
 #   ssl.privkey = "/etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem
    ssl.ca-file = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"

lighttpd service will start

However I still cannot browse to it via https. http does indeed forward to https.
but the page fails to load
If I goto www.pihole.knobheads.xyz that works.

I have tried changing the port in lighttpd.conf to 443 but that wouldnt get the page loading either.

Nummer378 · June 14, 2022, 7:57am

This version of lighttpd is too old to support the ssl.privkey directive (only available on 1.4.53 and up).

For this version you must give it both the certificate chain and the private key in a single file (via ssl.pemfile). Certbot does not provide such a file by itself, you will have to build it yourself by concatenating fulllchain and privkey.

9peppe · June 14, 2022, 7:57am

I am not sure if these ciphers are actually supported by your lighttpd/openssl combo.

please go here and fill out the actual versions: Mozilla SSL Configuration Generator

as in

certbot --cert-name "$SOMETHING" --deploy-hook "cat $RENEWED_LINEAGE/cert.pem $RENEWED_LINEAGE/privkey.pem > /some/other/directory/combined.pem && service lighttpd reload"

I am not actually sure if lighttpd will like fullchain or wants just leaf and key.

Shaunie · June 14, 2022, 8:09am

so I do need to use the combined.pem file as per:

# Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/combined.pem"
 #   ssl.privkey = "/etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem
    ssl.ca-file = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"

With the above config lighttpd will start but cannot get the webpage to load.

I noticed a typo in my external.conf (missing closing ")
so with:

 # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.privkey = "/etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem" <--That " was missing
 #   ssl.ca-file = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"

lighttpd still wont start but using
root@pi-hole:/home/pi# /usr/sbin/lighttpd -tt -f /etc/lighttpd/external.conf; echo $?
Gives the below result
2022-06-14 05:19:32: (configfile.c.1480) a default document-root has to be set
2022-06-14 05:19:32: (server.c.881) setting default values failed
255

and if I run:
root@pi-hole:/home/pi# /usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf; echo $?

I get

2022-06-14 05:22:20: (network.c.633) SSL: couldn't read private key from '/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem'
255

9peppe · June 14, 2022, 8:10am

At risk of stating the obvious, the easy solution is to upgrade your software

Shaunie · June 14, 2022, 8:12am

I was just about to ask if I can update lighttpd without it breaking pi-hole

9peppe · June 14, 2022, 8:24am

You can probably update pi-hole entirely.

It looks like pi-hole installs lighttpd from the system repositories. pi-hole/basic-install.sh at master · pi-hole/pi-hole · GitHub

(tldr: to update lighttpd and pi-hole, you have to upgrade your raspbian)

Shaunie · June 14, 2022, 12:08pm

I tried to update my RasPi
It ran through everything asking the odd question about changed files.
Then through an error at the end (having some DNS issues as cloudflared tunnel not starting either so modded DNS entry so that it can do lookups)

Running hooks in /etc/ca-certificates/update.d...
done.
W: Operation was interrupted before it could finish

OS version is still the same 4.14.69-v7+
However lighttpd has update to 4.45
I changed the ssl section of external.conf to

    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.privkey = "/etc/letsencrypt/live/pihole.knobheads.xyz/privkey.pem"
 #   ssl.ca-file = "/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"

Tried to restart lighttpd and got an error.
Ran:
root@pi-hole:/# /usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf; echo $?
2022-06-14 13:01:40: (network.c.633) SSL: couldn't read private key from '/etc/letsencrypt/live/pihole.knobheads.xyz/fullchain.pem'

Then I ran
root@pi-hole:/# /usr/sbin/lighttpd -tt -f /etc/lighttpd/external.conf; echo $?
2022-06-14 13:02:29: (configfile.c.1480) a default document-root has to be set
2022-06-14 13:02:29: (server.c.881) setting default values failed

Shaunie · June 14, 2022, 12:38pm

HAHAHAHA

A reboot a firmware upgrade and another reboot and its all working

Thank you @9peppe and @Nummer378 for your help. It has been invaluable and I've learnt a great deal.

Just hope it stays in the grey mush in my head...

Shaunie · June 14, 2022, 1:20pm

just need to figure out how to redirect the landing page from /var/www/html/index.lighttpd.html to /var/www/html/admin/indexphp

Would also like to redirect www. to https as that still works though I could just change the server port

My external.conf still uses the combined.pem file instead of the correct file names too.

9peppe · June 15, 2022, 12:29pm

In one of my first posts there's a link to the lighttpd wiki. If there's information around, it's there. (Not on that page specifically, that's for TLS)

system · July 15, 2022, 12:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.