self signed sertificate Topic is solved

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
eglider86
Posts: 36
Joined: Sat Mar 20, 2021 10:12 am

self signed sertificate

Post by eglider86 »

Hi,
I have managed to hit the limit of letsenrypt so i need to wait for week....
Is there anyway to apply a self signed certificate for this time? I have found any tutoral or suggestion how to do it, if it is all possible.
thanks
Andrew
User avatar
Joulinar
Posts: 4783
Joined: Sat Nov 16, 2019 12:49 am

Re: self signed sertificate

Post by Joulinar »

Sure you can use a self signed certificate. But mostly all browsers and application will complain about it. Some client applications even did not work as the certificate is not trusted
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
eglider86
Posts: 36
Joined: Sat Mar 20, 2021 10:12 am

Re: self signed sertificate

Post by eglider86 »

It would be a home installed nextcloud to be reached by ios nextcloud app. I would give a try. How do i do it with dietpi RP3B ?
User avatar
Joulinar
Posts: 4783
Joined: Sat Nov 16, 2019 12:49 am

Re: self signed sertificate

Post by Joulinar »

Depends on the web server used. Which one you have installed?
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
willis936
Posts: 3
Joined: Sat May 29, 2021 6:11 pm

Re: self signed sertificate

Post by willis936 »

I'm having trouble getting this working on my dietpi.

I followed this guide but removed the CA line. I have this working on another raspberry pi running raspberry pi os. Using the same scripts but changing the FQDN results in https not being available on the dietpi. The site does not redirect to https and if https is specified then a connection cannot be made to the server. No firewall is enabled.

I noticed that there are some extra config files in /etc/lighttpd/conf-enabled on dietpi compared to a regular pihole install, but I haven't full dug through everything yet. I tried removing the two 99-dietpi-pihole conf files but that did not change the behavior.

I was hoping someone else who has run into this knows the fix.

Here is my setup. I use a different FQDN than "pihole.example.com".

external.conf

Code: Select all

$HTTP["host"] == "pihole.example.com" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/ssl/pihole.example.com/combined.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"       
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}
Script to generate ssl certificate.

Code: Select all

pnCert=/etc/lighttpd/ssl/pihole.example.com
fnCert=$pnCert/combined.pem

mkdir -p $pnCert
openssl req -new -x509 -newkey rsa:4096 -keyout $fnCert -out $fnCert -days 365 -nodes -subj "myDeets"
chown www-data:www-data $fnCert
chown www-data -R $pnCert
chmod 0600 $fnCert

systemctl restart lighttpd.service
Files present in /etc/lighttpd/conf-enabled in dietpi+pihole.

Code: Select all

10-fastcgi.conf
15-fastcgi-php.conf
99-dietpi-pihole.conf
99-unconfigured.conf
99-dietpi-pihole-block_public_admin.conf
Files present in /etc/lighttpd/conf-enabled on raspberry pi os+pihole.

Code: Select all

10-fastcgi.conf
15-fastcgi-php.conf
90-javascript-alias.conf
Last edited by willis936 on Sat May 29, 2021 6:49 pm, edited 2 times in total.
eglider86
Posts: 36
Joined: Sat Mar 20, 2021 10:12 am

Re: self signed sertificate

Post by eglider86 »

i use the standard web server provided by dietpi for nextcloud
User avatar
Joulinar
Posts: 4783
Joined: Sat Nov 16, 2019 12:49 am

Re: self signed sertificate

Post by Joulinar »

@willis936
what is the reason for creating a self signed certificate and not using dietpi-letsencrypt. I highly recommend to use an official certificate if your system is reachable from internet.

As well, pls don't remove any DietPi config files. DietPi is going to setup the web server a different way than a plain PiHole installation would do. This is to allow other web server apps (like NextCloud) to work next to PiHole. Therefore you can't compare the availability of config files. As well this has nothing to do with DietPi or Raspberry OS. (Btw DietPi is a Raspberry OS). It's simply the way how thinks are installed and configured.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
Joulinar
Posts: 4783
Joined: Sat Nov 16, 2019 12:49 am

Re: self signed sertificate

Post by Joulinar »

@eglider86
Did you activated HTTPS already before and just like to replace the certificate with a self signed one?

Let's check configuration files

Code: Select all

ls -la /etc/lighttpd/conf-{available,enabled}
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
willis936
Posts: 3
Joined: Sat May 29, 2021 6:11 pm

Re: self signed sertificate

Post by willis936 »

@Joulinar This is for a redundant pi-hole setup behind a NAT. The HTTP/S forwarded IP is not on this raspberry pi. In the context of recent Wi-Fi exploits I no longer trust unencrypted LAN traffic. SSL certs can be checked once per client. Browsers remember accepted certs after prompted once and no longer prompt. I'll still update the cert on a schedule.
User avatar
Joulinar
Posts: 4783
Joined: Sat Nov 16, 2019 12:49 am

Re: self signed sertificate

Post by Joulinar »

ok but if you really worry about someone being able to read your local http traffic, you should more worry about what these guy can do as well. Like manipulate your local unencrypted DNS traffic. Or do you encrypt the DNS traffic between clients and PiHole?

But ok it's up to you.



On a standard DietPi system HTTPS on Lighttpd is done by 2 config files

Code: Select all

50-dietpi-https.conf # activate HTTPS
98-dietpi-https_redirect.conf # redirect port 80 > 443
they should be located at /etc/lighttpd/conf-available

both files have following content

50-dietpi-https.conf

Code: Select all

# Based on: https://ssl-config.mozilla.org/#server=lighttpd
server.modules += ( "mod_openssl" )
# IPv4
$SERVER["socket"] == ":443" {
        protocol = "https://"
        ssl.engine = "enable"

        # pemfile is cert+privkey, ca-file is the intermediate chain in one file
        ssl.pemfile = "/etc/letsencrypt/live/example.com/combined.pem"
        ssl.ca-file = "/etc/letsencrypt/live/example.com/fullchain.pem"

        # For DH/DHE ciphers, dhparam should be >= 2048-bit
        #ssl.dh-file = "/path/to/dhparam.pem"
        # ECDH/ECDHE ciphers curve strength, see "openssl ecparam -list_curves"
        ssl.ec-curve = "secp384r1"

        # Environment flag for HTTPS enabled
        setenv.add-environment = ( "HTTPS" => "on" )

        # Intermediate configuration, tweak to your needs
        ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2", "Options" => "-SessionTicket")
        ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
        ssl.honor-cipher-order = "disable"
        ssl.disable-client-renegotiation = "enable"
}
# IPv6
$SERVER["socket"] == "[::]:443" {
        protocol = "https://"
        ssl.engine = "enable"

        # pemfile is cert+privkey, ca-file is the intermediate chain in one file
        ssl.pemfile = "/etc/letsencrypt/live/example.com/combined.pem"
        ssl.ca-file = "/etc/letsencrypt/live/example.com/fullchain.pem"

        # For DH/DHE ciphers, dhparam should be >= 2048-bit
        #ssl.dh-file = "/path/to/dhparam.pem"
        # ECDH/ECDHE ciphers curve strength, see "openssl ecparam -list_curves"
        ssl.ec-curve = "secp384r1"

        # Environment flag for HTTPS enabled
        setenv.add-environment = ( "HTTPS" => "on" )

        # Intermediate configuration, tweak to your needs
        ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2", "Options" => "-SessionTicket")
        ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
        ssl.honor-cipher-order = "disable"
        ssl.disable-client-renegotiation = "enable"
}
98-dietpi-https_redirect.conf

Code: Select all

$HTTP["scheme"] == "http" {
        # Capture vhost name with regex conditional %0 in redirect pattern
        # Must be the most inner block to the redirect rule
        $HTTP["host"] =~ ".*" {
                url.redirect = (".*" => "https://%0$0")
        }
}
make sure /etc/lighttpd/lighttpd.conf contains the following 2 mods

Code: Select all

        "mod_setenv",
        "mod_redirect",

to activate the config

Code: Select all

lighty-enable-mod dietpi-https
lighty-enable-mod dietpi-https_redirect
systemctl restart lighttpd
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Post Reply