Enabling SSL for internal network Topic is solved

Having issues with your DietPi installation or found a bug? Post it here.
Post Reply
TechEnjoy
Posts: 8
Joined: Wed Oct 13, 2021 6:38 am

Enabling SSL for internal network

Post by TechEnjoy »

Hello, I was trying to look into enabling SSL for my pi-hole. I know there are options for letsencrypt but I am not looking to make my pi-hole publicly available to the open internet. I have created a certificate for internal use and the root and intermediate CA has been deployed to the computers on my network.

I would like for SSL to be in place internally so nothing can sniff the password and other information if on the network. Yes I know that if I don't trust things on my network I should fix that problem first but having extra layers does not hurt.

I tried to follow the following tutorial https://i12bretro.github.io/tutorials/0131.html that follows this video: https://www.youtube.com/watch?v=yUdmBGe9wYA&t=0s but because the setup is different with DietPi I believe it does not match up. When it states to edit the file like "10-ssl.conf" it was not there so I made it. But it still does not fix the issue.

Any direction would be greatly appreciated.
User avatar
Joulinar
Posts: 6525
Joined: Sat Nov 16, 2019 12:49 am

Re: Enabling SSL for internal network

Post by Joulinar »

what type of web server your are running? And yes, if you don't trust your local network, fix this first. Creating local SSL certificates dosne't makes much sense and is causing more issues than it help. If there is someone in your network who is able to sniff stuff, you have other issues than getting PiHole compromised.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
trendy
Posts: 397
Joined: Tue Feb 25, 2020 2:54 pm

Re: Enabling SSL for internal network

Post by trendy »

In my default installation of Pihole, there is the 10-ssl.conf file inside /etc/lighttpd/conf-available/

Code: Select all

# /usr/share/doc/lighttpd/ssl.txt

server.modules += ( "mod_openssl" )

$SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine  = "enable"
        ssl.pemfile = "/etc/lighttpd/server.pem"
        ssl.cipher-list = "HIGH"
}
User avatar
Joulinar
Posts: 6525
Joined: Sat Nov 16, 2019 12:49 am

Re: Enabling SSL for internal network

Post by Joulinar »

yes, that's for Lighttpd. Configuration file would need to be activated to have an effect.

Nginx and Apache2 behave different.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
TechEnjoy
Posts: 8
Joined: Wed Oct 13, 2021 6:38 am

Re: Enabling SSL for internal network

Post by TechEnjoy »

Hello, I am running lighttpd my 10-ssl.conf file looks like the following

Code: Select all

# /usr/share/doc/lighttpd/ssl.txt

server.modules += ( "mod_openssl" )

$SERVER["socket"] == "0.0.0.0:443" {
	ssl.engine = "enable"
	ssl.pemfile = "/etc/lighttpd/PiHole.pem"
	ssl.ca-file = "/etc/lighttpd/ca-chain.pem"
	ssl.cipher-list = "HIGH"
}
Currently I if I try and go to https version of the site Example: https://pi.hole I get

Code: Select all

This site can’t be reached 
pi.hole refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED
In the tutorial that I posted above in section Applying the Certificates if I do the following commands from step 10

Code: Select all

sudo ln -s /etc/lighttpd/conf-available/10-ssl.conf /etc/lighttpd/conf-enabled/10-ssl.conf
sudo service lighttpd restart
I get the following error:

Code: Select all

Job for lighttpd.service failed because the control process exited with error code.
See "systemctl status lighttpd.service" and "journalctl -xe" for details.
I have since removed the 10-ssl.conf file from conf-enabled so I can restart the service.

Any ideas or thoughts?
User avatar
Joulinar
Posts: 6525
Joined: Sat Nov 16, 2019 12:49 am

Re: Enabling SSL for internal network

Post by Joulinar »

Activate SSL configuration again and try to check what the issue is by running

Code: Select all

/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
This is a test of your config and should display the issue.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
trendy
Posts: 397
Joined: Tue Feb 25, 2020 2:54 pm

Re: Enabling SSL for internal network

Post by trendy »

The error you are getting:

Code: Select all

This site can’t be reached
pi.hole refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED
says that you cannot connect to the server. It doesn't have to do directly with the certificates.

Check that the name resolves to the correct IP. Check that the IP is reachable (by ping or some other service). Check that the server is running on port 443 (sudo ss -tunlp | grep 443)
Finally make sure that the file names are correct and with proper upper/lower case.
TechEnjoy
Posts: 8
Joined: Wed Oct 13, 2021 6:38 am

Re: Enabling SSL for internal network

Post by TechEnjoy »

Joulinar wrote: Tue Oct 26, 2021 7:43 am Activate SSL configuration again and try to check what the issue is by running

Code: Select all

/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
This is a test of your config and should display the issue.
I tried to activate it and lighttpd fails to start. I ran the command you stated and get the following:

Code: Select all

2021-10-30 05:30:38: configfile.c.255) Warning: please add "mod_openssl" to server.modules list in lighttpd.conf.  A future release of lighttpd 1.4.x *will not* automatically load mod_openssl and lighttpd *will not* use SSL/TLS where your lighttpd.conf contains ssl.* directives
2021-10-30 05:30:38: plugin.c.195) dlopen() failed for: /usr/lib/lighttpd/mod_openssl.so /usr/lib/lighttpd/mod_openssl.so: cannot open shared object file: No such file or directory
2021-10-30 05:30:38: server.c.1238) loading plugins finally failed
I add mod_openssl to the conf and, then it is still stuck with

Code: Select all

2021-10-30 05:58:41: plugin.c.195) dlopen() failed for: /usr/lib/lighttpd/mod_openssl.so /usr/lib/lighttpd/mod_openssl.so: cannot open shared object file: No such file or directory
2021-10-30 05:58:41: server.c.1238) loading plugins finally failed
When I try and restart the service I get this as well:

Code: Select all

Job for lighttpd.service failed because the control process exited with error code.
See "systemctl status lighttpd.service" and "journalctl -xe" for details.
systemctl status lighttpd.service gives:

Code: Select all

Oct 30 05:58:32 DietPi systemd[1]: lighttpd.service: Control process exited, code=exited, status=255/EXCEPTION
Oct 30 05:58:32 DietPi systemd[1]: lighttpd.service: Failed with result 'exit-code'.
Oct 30 05:58:32 DietPi systemd[1]: Failed to start Lighttpd Daemon.
Oct 30 05:58:32 DietPi systemd[1]: lighttpd.service: Scheduled restart job, restart counter is at 5.
Oct 30 05:58:32 DietPi systemd[1]: Stopped Lighttpd Daemon.
Oct 30 05:58:32 DietPi systemd[1]: lighttpd.service: Start request repeated too quickly.
Oct 30 05:58:32 DietPi systemd[1]: lighttpd.service: Failed with result 'exit-code'.
Oct 30 05:58:32 DietPi systemd[1]: Failed to start Lighttpd Daemon.
and journalctl -xe gives:

Code: Select all

Oct 30 05:58:32 DietPi systemd[1]: Stopped Lighttpd Daemon.
░░ Subject: A stop job for unit lighttpd.service has finished
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ A stop job for unit lighttpd.service has finished.
░░ 
░░ The job identifier is 27331 and the job result is done.
Oct 30 05:58:32 DietPi systemd[1]: lighttpd.service: Start request repeated too quickly.
Oct 30 05:58:32 DietPi systemd[1]: lighttpd.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ The unit lighttpd.service has entered the 'failed' state with result 'exit-code'.
Oct 30 05:58:32 DietPi systemd[1]: Failed to start Lighttpd Daemon.
░░ Subject: A start job for unit lighttpd.service has failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ A start job for unit lighttpd.service has finished with a failure.
░░ 
░░ The job identifier is 27331 and the job result is failed.
TechEnjoy
Posts: 8
Joined: Wed Oct 13, 2021 6:38 am

Re: Enabling SSL for internal network

Post by TechEnjoy »

I was able to get it working, looks like it was missing the mod_openssl server module.

So I then ran

Code: Select all

apt install lighttpd-mod-openssl
restarted the service and it is now working.
Thank you both for your input on this issue.
User avatar
Joulinar
Posts: 6525
Joined: Sat Nov 16, 2019 12:49 am

Re: Enabling SSL for internal network

Post by Joulinar »

yes you would need to install required SSL module for the web server 8)
Good it is working now.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Post Reply