Ensure you have a standard fully qualified domain name (e.g: domain.com, pihole.example.com, etc) that allows you to access your Pi-hole
Deploy an SSL certificate for your FQDN
Configure lighttpd to only enable the SSL engine for your FQDN
How to configure Pi-hole to use an SSL certificate
The lighttpd daemon will need a custom configuration to enable the SSL engine. Fortunately, you can configure all this from /etc/lighttpd/external.conf as this will not get overwritten when running a Pi-hole update.
To start, you will need to create a file called combined.pem as this is the ssl.pemfile that lighttpd expects to see. Run the following command (making sure to subsitute pihole.example.com for your FQDN):
Next, ensure the lighttpd user www-data can read the required certificates:
sudochownwww-data-R/etc/letsencrypt/live
Now, place the following into /etc/lighttpd/external.conf (again, making sure to subsitute pihole.example.com for your FQDN):
$HTTP["host"] == "pihole.example.com" {# Ensure the Pi-hole Block Page knows that this is not a blocked domainsetenv.add-environment= ("fqdn" =>"true")# Enable the SSL engine with a LE cert, only for this specific host $SERVER["socket"]==":443"{ssl.engine="enable"ssl.pemfile="/etc/letsencrypt/live/pihole.example.com/combined.pem"ssl.ca-file="/etc/letsencrypt/live/pihole.example.com/fullchain.pem"ssl.honor-cipher-order="enable"ssl.cipher-list="EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"ssl.use-sslv2="disable"ssl.use-sslv3="disable" }# Redirect HTTP to HTTPS $HTTP["scheme"]=="http"{ $HTTP["host"]=~".*"{url.redirect= (".*" =>"https://%0$0") } }}
Finally, be sure to run sudo service lighttpd restart after this change has been made.
Generatinga2048bitRSAprivatekey....+++...............+++writingnewprivatekeyto'example.com.key'-----Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName (2 lettercode) [XX]:INStateorProvinceName (full name) []:DelhiLocalityName (eg, city) [Default City]:DelhiOrganizationName (eg, company) [Default Company Ltd]:TecAdmin Inc.OrganizationalUnitName (eg, section) []:webCommonName (eg, yournameoryourserver's hostname) []:example.comEmail Address []:user@example.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: [Leave Blank]An optional company name []: [Leave Blank]