Created
September 25, 2021 04:03
-
-
Save joestump/5c804a309ee501d3c511cfa8d5c86def to your computer and use it in GitHub Desktop.
LetsEncrypt for Pi-Hole w/ Auto-Renewal
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Unit] | |
Description=Certbot Renewal | |
[Service] | |
# Create /root/.aws/config using the config example. | |
Environment=AWS_PROFILE=certbot | |
# This will renew the certificate using Route53 DNS challenge. | |
# The post-hook will combine the certs for lighttpd and restart. | |
ExecStart=/usr/bin/certbot certonly --non-interactive --dns-route53 --dns-route53-propagation-seconds 120 -d your-domain.example.com --agree-tos -m [email protected] --post-hook "cat /etc/letsencrypt/live/your-domain.example.com/privkey.pem /etc/letsencrypt/live/your-domain.example.com/cert.pem | /etc/letsencrypt/live/your-domain.example.com/combined.pem && systemctl restart lighttpd" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Timer unit file for Systemd. Thanks to: | |
# https://stevenwestmoreland.com/2017/11/renewing-certbot-certificates-using-a-systemd-timer.html | |
[Unit] | |
Description=Timer for Certbot Renewal | |
[Timer] | |
OnBootSec=300 | |
OnUnitActiveSec=1w | |
[Install] | |
WantedBy=multi-user.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Put this in /root/.aws/config (or ser User/Group on your Systemd unit file). | |
[default] | |
region=us-west-2 | |
output=json | |
[profile certbot] | |
aws_access_key_id=your-access-key | |
aws_secret_access_key=your-secret-access-key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Put this in /etc/lighttpd/external.conf | |
# Cribbed from: | |
# https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771 | |
$HTTP["host"] == "your-domain.example.com" { | |
# Ensure the Pi-hole Block Page knows that this is not a blocked domain | |
setenv.add-environment = ("fqdn" => "true") | |
# Enable the SSL engine with a LE cert, only for this specific host | |
$SERVER["socket"] == ":443" { | |
ssl.engine = "enable" | |
ssl.pemfile = "/etc/letsencrypt/live/your-domain.example.com/combined.pem" | |
ssl.ca-file = "/etc/letsencrypt/live/your-domain.example.com/fullchain.pem" | |
ssl.honor-cipher-order = "enable" | |
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" | |
ssl.use-sslv2 = "disable" | |
ssl.use-sslv3 = "disable" | |
} | |
# Redirect HTTP to HTTPS | |
$HTTP["scheme"] == "http" { | |
$HTTP["host"] =~ ".*" { | |
url.redirect = (".*" => "https://%0$0") | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment