Install Pi-Hole with Let’s Encrypt HTTPS

Pi-Hole is great as local DNS as it also blocks ads, malware, fraud sites and much more. In fact, it makes our life much easier when we want to install vCenter in our home labs as well. Pi-Hole can run on almost any hardware but of course it depends on how many DNS lookups / request you have. As default Pi-Hole are not installed with SSL and you need to add “/admin” at the end of the address. So, in this guide I’ll go through how to install Pi-Hole on Ubuntu and how to configure Pi-Holes administration portal with SSL and redirect the address so you don’t need to write “/admin” at the end.

Introduction

Validated on

This how-to have been tested and known to work, but not limited to the following versions

  • Ubuntu 24.04
  • Ubuntu 22.04

Prerequisite

  • Sudo or root access to your Ubuntu Server
  • SSH access to your Ubuntu Server
  • SSH software
    • macOS, you can use Terminal
    • Linux, you can use Terminal
    • Windows, I do recommend you to use PuTTY
  • The following ports need for Pi-Hole, so make sure they are opened
    • 80/tcp
    • 443/tcp
    • 22/tcp (SSH port, if changed replace it with the correct port)
    • 53

System Requirements

I’ll install Pi-Hole on an Ubuntu VM running in vCenter with 2 vCPU and 3GB of RAM in this guide. This is plenty for Pi-Hole to work without any problem.

Good to know

  • In this guide we need to open firewall ports, I do recommend you read through my guide how to configure Ubuntu Servers built in firewall.
  • During the installation of Pi-Hole it will set the current IP of your server as static
  • Nano commands
    • To save a file after you have made changes press CTRL+X and then Y
    • Go to the end of the file press CTRL+W and then CTRL+V

Recommendation

  • If you haven’t secured SSH on your Ubuntu Server I do recommend you to read my guide about it

Backup your old Pi-Hole (optional)

If you have another Pi-Hole that you want to move to a new server or migrate to this one you need to download a backup from it so you can restore later. You can do that by going to admin portal -> Settings in the left menu -> Click on Teleporter in the top menu -> Click on the button Backup then it will download a backup file to your computer.

Configure Ubuntu Server

  • Before we start to install Pi-Hole we need to make sure that our server is up to date

    sudo apt update && sudo apt upgrade -y
    
  • We also need to open some ports in UFW (firewall)

    sudo ufw allow 80/tcp,22/tcp,443/tcp,53
    

Install Pi-Hole

  • Now we are going to install Pi-Hole. Lucky for us it’s not hard to install Pi-Hole, simply run the following command

    sudo curl -sSL https://install.pi-hole.net | bash
    

  • During the installation you need to set some configurations but on most of them you just need to press enter, but I’ll go through all of them below

    Here you can choose if Pi-Hole should set your current server IP as static, you can also choose a custom one.

    Now you need to choose what external DNS server you want to use.

    If you have chosen to set a custom DNS this step will show. You can enter multiple DNS by separating them with a “,” sign.

    (Custom DNS only) Confirm that your DNS settings are correct.

    If you want a third-party blocklist added then choose Yes here, you can add or remove blocklists later in the administration portal. I recommend that you choose Yes here, as it’s a known good blocklist.

    Here you can choose if you want the admin interface installed or not, I do recommend that you install the admin interface as this guide depends on it.

    Now you can choose to install lighttpd as the webserver for the admin portal or not, for this guide we choose to install it.

    Just click according to the pictures below for the following steps, you can change them later in the admin portal.

    We are on the last step, you don’t need to save the password we will change that instead.

    Let’s change the automatic generated password for Pi-Hole, replace YOURPASSWORD with the password you want

    sudo pihole -a -p YOURPASSWORD
    

Configure SSL (optional)

Wildcard certificate with Let’s Encrypt

To setup Let’s Encrypt with wildcard certificate please follow this guide first, follow the lighttpd instructions.

Self-Signed certificate

If you can’t use Let’s Encrypt you can generate a self-signed certificate, you can read how in this guide. Follow the lighttpd instructions.

Start

The following steps are needed for all types of certificates, after you have done this go to the headline that matches the certificate type you want.

  • First, we need to reinstall lighttpd

    sudo apt-get reinstall lighttpd-mod-openssl
    

  • We need to configure lighttpd to work with SSL

    sudo nano /etc/lighttpd/conf-enabled/external.conf
    
  • Your configuration should look like this, replace PIFQDN with the FQDN to your Pi-Hole server. Make sure that you have selected the correct tab depending on what kind of certificate you are going to use

    server.modules += ( "mod_openssl" )
    
    var.fqdn = "PIFQDN"
    
    $SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        # Public cert and intermediate cert chain
        ssl.pemfile = "/etc/lighttpd/ssl/fullchain.pem"
        ssl.privkey = "/etc/lighttpd/ssl/privkey.pem"
        # Require TLS 1.3
        ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3")
    }
    
    $HTTP["host"] == fqdn {
        # Set redirect code for any redirects we do
        url.redirect-code = 308
        # Redirect all http to https
        $HTTP["scheme"] == "http" {
            url.redirect = ("" => "https://" + fqdn + "${url.path}${qsa}")
            # Redirect root to admin
        } else $HTTP["url"] == "/" {
            url.redirect = ("" => "/admin/")
        }
    }
    
    server.modules += ( "mod_openssl" )
    
    var.fqdn = "PIFQDN"
    
    $SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        # Public cert and intermediate cert chain
        ssl.pemfile = "/etc/lighttpd/ssl/selfsigned.pem"
        # Require TLS 1.3
        ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3")
    }
    
    $HTTP["host"] == fqdn {
        # Set redirect code for any redirects we do
        url.redirect-code = 308
        # Redirect all http to https
        $HTTP["scheme"] == "http" {
            url.redirect = ("" => "https://" + fqdn + "${url.path}${qsa}")
            # Redirect root to admin
        } else $HTTP["url"] == "/" {
            url.redirect = ("" => "/admin/")
        }
    }
    

Verification

  • We need to make sure that our lighttpd configuration are working, we can do that by using the following command. If everything works then you will not get anything in return, see picture below

    sudo /usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
    

  • Now for the final step we are going to reboot our server

    sudo reboot
    

Restore configuration from an other Pi-Hole (optional)

You can also if you want to restore a backup from another Pi-Hole server. To do that go to Settings in the left menu, click on Teleporter in the middle menu. Then under Restore in the right column click on Browse to select your backup file. To perform the restore click on the button Restore.

Configurations in admin portal

  • You can access Pi-Hole admin portal by visiting https://FQDN or if you haven’t setup SSL you can visit http://FQDN/admin, replace FQDN with the FQDN to your server. Enter the password that you did choose before to login

  • If you have like me that you have clients from different subnets that will make requests to your Pi-Hole, you need to Permit all origins. To change that click on Settings in the left menu -> DNS in the top middle menu and then in the left column under Potentially dangerous options you can select Permit all origins

Add DNS record

You can manually add a DNS record to your Pi-Hole, this is something that make our life easier when we want to install vCenter for an example.

  • In the left menu click on Local DNS -> DNS Records

  • Then enter the full FQDN in the Domain field and then enter the IP address you want to relate to that DNS record, when your done click on the button Add

Conclusion

Now you have a DNS server that also will block ads and other things we don’t want. And don’t forget that you can add more blocklists to it.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.