Enabling SSL for internal network

TechEnjoy · 24 October 2021 23:42

Hello, I was trying to look into enabling SSL for my pi-hole. I know there are options for letsencrypt but I am not looking to make my pi-hole publicly available to the open internet. I have created a certificate for internal use and the root and intermediate CA has been deployed to the computers on my network.

I would like for SSL to be in place internally so nothing can sniff the password and other information if on the network. Yes I know that if I don’t trust things on my network I should fix that problem first but having extra layers does not hurt.

I tried to follow the following tutorial https://i12bretro.github.io/tutorials/0131.html that follows this video: https://www.youtube.com/watch?v=yUdmBGe9wYA&t=0s but because the setup is different with DietPi I believe it does not match up. When it states to edit the file like “10-ssl.conf” it was not there so I made it. But it still does not fix the issue.

Any direction would be greatly appreciated.

Joulinar · 25 October 2021 08:09

what type of web server your are running? And yes, if you don’t trust your local network, fix this first. Creating local SSL certificates dosne’t makes much sense and is causing more issues than it help. If there is someone in your network who is able to sniff stuff, you have other issues than getting PiHole compromised.

trendy · 25 October 2021 13:40

In my default installation of Pihole, there is the 10-ssl.conf file inside /etc/lighttpd/conf-available/

# /usr/share/doc/lighttpd/ssl.txt

server.modules += ( "mod_openssl" )

$SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine  = "enable"
        ssl.pemfile = "/etc/lighttpd/server.pem"
        ssl.cipher-list = "HIGH"
}

Joulinar · 25 October 2021 16:43

yes, that’s for Lighttpd. Configuration file would need to be activated to have an effect.

Nginx and Apache2 behave different.

TechEnjoy · 26 October 2021 02:55

Hello, I am running lighttpd my 10-ssl.conf file looks like the following

# /usr/share/doc/lighttpd/ssl.txt

server.modules += ( "mod_openssl" )

$SERVER["socket"] == "0.0.0.0:443" {
	ssl.engine = "enable"
	ssl.pemfile = "/etc/lighttpd/PiHole.pem"
	ssl.ca-file = "/etc/lighttpd/ca-chain.pem"
	ssl.cipher-list = "HIGH"
}

Currently I if I try and go to https version of the site Example: https://pi.hole I get

This site can’t be reached 
pi.hole refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED

In the tutorial that I posted above in section Applying the Certificates if I do the following commands from step 10

sudo ln -s /etc/lighttpd/conf-available/10-ssl.conf /etc/lighttpd/conf-enabled/10-ssl.conf
sudo service lighttpd restart

I get the following error:

Job for lighttpd.service failed because the control process exited with error code.
See "systemctl status lighttpd.service" and "journalctl -xe" for details.

I have since removed the 10-ssl.conf file from conf-enabled so I can restart the service.

Any ideas or thoughts?

Joulinar · 26 October 2021 05:43

Activate SSL configuration again and try to check what the issue is by running

/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf

This is a test of your config and should display the issue.

trendy · 26 October 2021 08:03

The error you are getting:

This site can’t be reached
pi.hole refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED

says that you cannot connect to the server. It doesn’t have to do directly with the certificates.

Check that the name resolves to the correct IP. Check that the IP is reachable (by ping or some other service). Check that the server is running on port 443 (sudo ss -tunlp | grep 443)
Finally make sure that the file names are correct and with proper upper/lower case.

TechEnjoy · 30 October 2021 05:06

I tried to activate it and lighttpd fails to start. I ran the command you stated and get the following:

2021-10-30 05:30:38: configfile.c.255) Warning: please add "mod_openssl" to server.modules list in lighttpd.conf.  A future release of lighttpd 1.4.x *will not* automatically load mod_openssl and lighttpd *will not* use SSL/TLS where your lighttpd.conf contains ssl.* directives
2021-10-30 05:30:38: plugin.c.195) dlopen() failed for: /usr/lib/lighttpd/mod_openssl.so /usr/lib/lighttpd/mod_openssl.so: cannot open shared object file: No such file or directory
2021-10-30 05:30:38: server.c.1238) loading plugins finally failed

I add mod_openssl to the conf and, then it is still stuck with

2021-10-30 05:58:41: plugin.c.195) dlopen() failed for: /usr/lib/lighttpd/mod_openssl.so /usr/lib/lighttpd/mod_openssl.so: cannot open shared object file: No such file or directory
2021-10-30 05:58:41: server.c.1238) loading plugins finally failed

When I try and restart the service I get this as well:

Job for lighttpd.service failed because the control process exited with error code.
See "systemctl status lighttpd.service" and "journalctl -xe" for details.

systemctl status lighttpd.service gives:

Oct 30 05:58:32 DietPi systemd[1]: lighttpd.service: Control process exited, code=exited, status=255/EXCEPTION
Oct 30 05:58:32 DietPi systemd[1]: lighttpd.service: Failed with result 'exit-code'.
Oct 30 05:58:32 DietPi systemd[1]: Failed to start Lighttpd Daemon.
Oct 30 05:58:32 DietPi systemd[1]: lighttpd.service: Scheduled restart job, restart counter is at 5.
Oct 30 05:58:32 DietPi systemd[1]: Stopped Lighttpd Daemon.
Oct 30 05:58:32 DietPi systemd[1]: lighttpd.service: Start request repeated too quickly.
Oct 30 05:58:32 DietPi systemd[1]: lighttpd.service: Failed with result 'exit-code'.
Oct 30 05:58:32 DietPi systemd[1]: Failed to start Lighttpd Daemon.

and journalctl -xe gives:

Oct 30 05:58:32 DietPi systemd[1]: Stopped Lighttpd Daemon.
░░ Subject: A stop job for unit lighttpd.service has finished
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ A stop job for unit lighttpd.service has finished.
░░ 
░░ The job identifier is 27331 and the job result is done.
Oct 30 05:58:32 DietPi systemd[1]: lighttpd.service: Start request repeated too quickly.
Oct 30 05:58:32 DietPi systemd[1]: lighttpd.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ The unit lighttpd.service has entered the 'failed' state with result 'exit-code'.
Oct 30 05:58:32 DietPi systemd[1]: Failed to start Lighttpd Daemon.
░░ Subject: A start job for unit lighttpd.service has failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ A start job for unit lighttpd.service has finished with a failure.
░░ 
░░ The job identifier is 27331 and the job result is failed.

TechEnjoy · 30 October 2021 05:35

I was able to get it working, looks like it was missing the mod_openssl server module.

So I then ran

apt install lighttpd-mod-openssl

restarted the service and it is now working.
Thank you both for your input on this issue.

Joulinar · 30 October 2021 09:03

yes you would need to install required SSL module for the web server
Good it is working now.