ACME Certificate on PiHole with Digital Ocean DNS Challenge
· 2 min read
Install acme.sh
curl https://get.acme.sh | sh -s email=...
Setup the DNS options, see https://github.com/acmesh-official/acme.sh/wiki/dnsapi for more information. I am using Digital Ocean, so I need to set a DO_API_KEY.
export DO_API_KEY="..."
Set default CA to use Let’s Encrypt:
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
The below scripts assume you’re PiHole is hosted on pihole.example.com. Substitute this for your domain name.
Setup the DNS options, see https://github.com/acmesh-official/acme.sh/wiki/dnsapi for more information. I am using Digital Ocean, so I need to set a DO_API_KEY.
export DO_API_KEY="..."
Issue the certificate:
~/.acme.sh/acme.sh --issue --dns dns_dgon -d pihole.example.com
Deploy the certificate:
~/.acme.sh/acme.sh --deploy -d pihole.example.com --deploy-hook lighttpd
This should deploy a cron job to renew the certificate. Check it has using:
crontab -l
Configure PiHole’s lighttpd server to use the certificate:
cat <<'EOT' >/etc/lighttpd/external.conf
server.modules += ("mod_openssl")
$HTTP["host"] == "pihole.example.com" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/pihole.example.com.pem"
ssl.ca-file = "/etc/lighttpd/pihole.example.com.pem.issuer"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
EOT
Reload lighttpd:
systemctl reload lighttpd