Skip to content

Instantly share code, notes, and snippets.

@rogerthomas84

rogerthomas84/pi-hole-with-auto-ssl.md

Last active July 25, 2025 06:38
Show Gist options
  • Save rogerthomas84/87ecaeed5692a07236c06bea3182971e to your computer and use it in GitHub Desktop.
Save rogerthomas84/87ecaeed5692a07236c06bea3182971e to your computer and use it in GitHub Desktop.
Download ZIP
Running PiHole with SSL behind your own domain...
Raw
pi-hole-with-auto-ssl.md

PiHole with SSL, using Cloudflare for DNS verification

Get your Cloudflare Global API key.

# This must be done as root:
sudo mkdir /root/.secrets
sudo touch /root/.secrets/cloudflare.ini

# Or just...
# sudo mkdir /root/.secrets && sudo touch /root/.secrets/cloudflare.ini

Write the following content to the /root/.secrets/cloudflare.ini file:

dns_cloudflare_email = "[email protected]"
dns_cloudflare_api_key = "this-is-your-global-api-key"
sudo chmod 0700 /root/.secrets/
sudo chmod 0400 /root/.secrets/cloudflare.ini

# Or just...
# sudo chmod 0700 /root/.secrets/ && sudo chmod 0400 /root/.secrets/cloudflare.ini
sudo apt-get install certbot
sudo pip3 install certbot-dns-cloudflare --break-system-packages

# Or just...
# sudo apt-get install certbot && sudo pip3 install certbot-dns-cloudflare --break-system-packages

Running the first time...

Before continuing, please note I'm using the domain pihole.example.com - Replace accordingly!

sudo certbot certonly \
  -a dns-cloudflare \
  --cert-name pihole.example.com \
  --dns-cloudflare-credentials /root/.secrets/cloudflare.ini \
  -d pihole.example.com \
  --preferred-challenges dns-0

IMPORTANT It seems that on some versions of certbot, the command dns-0 is actually just dns

Certbot should've now created the necessary SSL artrifacts. You can create the /etc/pihole/tls.pem file. First take a backup...

sudo cp /etc/pihole/tls.pem ~/pihole-tls-pre-certbot.pem

Now compose the new /etc/pihole/tls.pem file:

sudo cat /etc/letsencrypt/archive/pihole.example.com/privkey1.pem > /etc/pihole/tls.pem
sudo cat /etc/letsencrypt/archive/pihole.example.com/cert1.pem >> /etc/pihole/tls.pem

Now, test the new file by restarting PiHole:

sudo /usr/sbin/service pihole-FTL stop
sudo /usr/sbin/service pihole-FTL start

# Or just...
# sudo /usr/sbin/service pihole-FTL stop && sudo /usr/sbin/service pihole-FTL start

If you visit your PiHole instance in your browser, is the SSL certificate valid?

Please note:

Sometimes you need to check in an incognito (private) window to force the browser to reevaluate the certificate status.

Cron to schedule...

If the above steps worked, you can now use the single shell script to automatically update the SSL certificate.

Please note: This cron entry should be run as root, so you're using sudo crontab -e to make the addition.

# once a month
0 0 1 * * certbot certonly -a dns-cloudflare --cert-name pihole.example.com --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d pihole.example.com --preferred-challenges dns-01 -n && cat /etc/letsencrypt/archive/pihole.example.com/privkey1.pem > /etc/pihole/tls.pem && cat /etc/letsencrypt/archive/pihole.example.com/cert1.pem >> /etc/pihole/tls.pem && /usr/sbin/service pihole-FTL stop && /usr/sbin/service pihole-FTL start
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment