In our meeting on August 26 Spencer walked us through how to setup different machines and ensure that they are equipped with certificates. Once accessed with a browser these devices show up as “secure” where as the default behaviour would highlight the site as not secure.
A video of that session was recorded so if you want to take a look at look check that out here:
Spencer also was kind enough to provide a high level overview:
# "something about a self-signed certificate and pi-hole"
## Objective
---
As a user I want to view the pi-hole admin page using https instead of http. As the creator of a local certificate authority, I accept the risk of installing its certificate on my local devices.
## Requirements (prework)
---
1. Lessons 1.1, 1.2, and 1.3 from *resource #1*
1. Check the device hostname
1. Sync your clock
1. Review your OpenSSL configuration (openssl version -a)
1. Create a directory structure to store the keys, signing requests, and certs
1. Lock it down (chmod 600)
## Create the private key and cert for the CA
---
``` sh
# Create a private key for the CA
openssl genrsa -aes256 -out private/cakey.pem 4096
# Create a certificate for the CA
openssl req -new -x509 -key /root/ca/private/cakey.pem -out cacert.pem -days 3650 -set_serial 0
```
## Create the private key and cert for the pihole
---
``` sh
# Create a new private key
openssl genpkey -algorithm RSA -out /root/ca/private/my_server.key
# Create a new certificate signing request (CSR)
openssl req -new -key /root/ca/private/my_server.key -out /root/ca/requests/my_server.csr
# CA signing the CSR
openssl ca -in /root/ca/requests/my_server.csr -out /root/ca/certs/my_server_NO-SAN.crt
# CA signing the CSR with configuration file with X509v3 extensions to add
# NET::ERR_CERT_COMMON_NAME_INVALID is resolved by adding 'subjectAltName'
openssl ca -in /root/ca/requests/my_server.csr -extfile /root/ca/my_server.ext -out /root/ca/certs/my_server_SAN.crt
```
> my_server.ext
``` sh
subjectAltName = DNS:my_server.local, DNS:pi.hole, IP:10.0.0.10
```
### Checking the certificate
---
``` sh
# Check for SAN
openssl x509 -text -in /root/ca/certs/my_server_SAN.crt -noout
```
> Expected output should include:
``` sh
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:my_server.local, DNS:pi.hole, IP Address:10.0.0.10
```
## lighttpd config
---
``` sh
nano /etc/lighttpd/external.conf
```
``` sh
server.modules += ("mod_openssl")
$HTTP["host"] == "my_server.local" {
$SERVER["socket"] == ":443" {
ssl.engine = "enable" # basic option
ssl.pemfile = "/usr/lib/ssl/certs/my_server_SAN.crt" # basic option
# ssl.pemfile = "/usr/lib/ssl/certs/my_server_NO-SAN.crt"
ssl.privkey = "/usr/lib/ssl/private/my_server.key" # basic option
ssl.ca-file = "/usr/lib/ssl/certs/cacert.pem" # (deprecated) renamed ssl.verifyclient.ca-file (since 1.4.60)
}
}
```
## Resources
---
1. [OpenSSL Certification Authority (CA) on Ubuntu Server](https://networklessons.com/uncategorized/openssl-certification-authority-ca-ubuntu-server)
1. Prerequisites
1. hostname, /etc/hosts, and ntp
1. OpenSSL Configuration
1. Specify the path, generate cakey.pem & cacert.pem
1. Install cacert.pem on your client machine(s)
2. [Enabling HTTPS for your Pi-hole Web Interface](https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771)
1. Which config file to edit (/etc/lighttpd/external.conf)
3. [OpenSSL man pages - genpkey](https://www.openssl.org/docs/man1.1.1/man1/genpkey.html)
1. Generate a private key using genpkey;
4. [Lighttpd wiki #Self-Signed-Certificates](https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#Self-Signed-Certificates)
1. Used the 'Quick Start'
1. Tip: keep your lighttpd -version in mind
5. [Firefox no longer trusts my internal certificate authority used for internal sites on our domain.](https://support.mozilla.org/en-US/questions/1175296)
1. See also *security.enterprise_roots.enabled* on the about:config page.