Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X.509: Create and export CA certificate #1860

Merged
merged 1 commit into from
Jan 22, 2024
Merged

X.509: Create and export CA certificate #1860

merged 1 commit into from
Jan 22, 2024

Conversation

DL6ER
Copy link
Member

@DL6ER DL6ER commented Jan 17, 2024

What does this implement/fix?

Currently, Pi-hole's mechanism to create a self-signed certificate, well, creates a self-signed certificate. Recent user questions have, however, revealed that there is software (most worth mentioning is Firefox) not liking (as in: explicitly discouraging, sometimes even preventing) the usage of such self-signed certificates. Adding the certificate to said browsers (so the web interface page is considered "safe") is not possible in this case.

This PR changes the way Pi-hole generates the TLS certificate for itself. We go a more traditional way by first creating a (self-signed) root certificate authority (CA) and then using this CA to sign a second certificate we specifically create for the TLS web server. The generated CA is exported to a file and can then be imported into Firefox, Chrome, etc.

If you are using curl or friends, nothing changes - you can still use the certificate PEM file as you were used before.

Note

Pi-hole will not recreate already existing self-signed certificates. If you want to use this new certificates, you will have to run

sudo pihole-FTL --gen-x509 /etc/pihole/tls.pem

to force recreation of the certificate. Possibly with a domain if you want to use a domain different from pi.hole, e.g.

sudo pihole-FTL --gen-x509 /etc/pihole/tls.pem pihole.lan

Related issue or feature (if applicable): N/A

Pull request in docs with documentation (if applicable): pi-hole/docs#980

By submitting this pull request, I confirm the following:

  1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
  2. I have commented my proposed changes within the code.
  3. I am willing to help maintain this change if there are issues with it later.
  4. It is compatible with the EUPL 1.2 license
  5. I have squashed any insignificant commits. (git rebase)

Checklist:

  • The code change is tested and works locally.
  • I based my code and PRs against the repositories developmental branch.
  • I signed off all commits. Pi-hole enforces the DCO for all contributions
  • I signed all my commits. Pi-hole requires signatures to verify authorship
  • I have read the above and my PR is ready for review.

@DL6ER
Change how Pi-hole generates from self-signing our certificate to fir…
0a48d7a 
…st creating a self-signed root certificate authority (CA) and then using this CA to ordinarily sign the server's certificate. This has the advantage of being able to import the CA in places where importing a self-signed certificate is discouraged or not possible (e.g. Firefox browser)

Signed-off-by: DL6ER <[email protected]>
@DL6ER DL6ER requested a review from a team January 17, 2024 14:42
@pralor-bot
Copy link

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/pihole-v6-firefox-android/67672/5

yubiuser
yubiuser reviewed Jan 21, 2024
View reviewed changes
Copy link
Member

@yubiuser yubiuser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add a log line announcing the creation of a CA here

2024-01-21 19:24:47.886 [654233M] INFO: FTL is running as user pihole (UID 999)
2024-01-21 19:24:47.903 [654233M] INFO: Created SSL/TLS certificate for nanopi.lan at /etc/pihole/tls.pem
2024-01-21 19:24:47.903 [654233M] INFO: Reading certificate from /etc/pihole/tls.pem ...
2024-01-21 19:24:47.904 [654233M] INFO: Using SSL/TLS certificate file /etc/pihole/tls.pem

This is not true anymore

TLS X.509 certificate generator:
    Generate a self-signed certificate suitable for SSL/TLS
    and store it in outfile.
``

Should pihole-FTL --read-x509-key read also the tls_ca.crt?

src/webserver/x509.c Show resolved Hide resolved
@DL6ER
Copy link
Member Author

DL6ER commented Jan 21, 2024

Should we add a log line announcing the creation of a CA here

No, it's not even trivial to transport the CA name over there. The vast majority of users will likely add a permanent exception instead of adding the CA certificate. When they want it, the documentation will tell them how - without the need to read any logs.

Should pihole-FTL --read-x509-key read also the tls_ca.crt?

I don't think so. It is a generic tool to reads a certificate. This is still what it does. The CA is independent.

I'm not sure where Pi-hole is located, but it might no be "DE".

In the end it doesn't matter. We can add whatever we want.

@DL6ER DL6ER merged commit 1218151 into development-v6 Jan 22, 2024
16 checks passed
@DL6ER DL6ER deleted the tweak/x509_ca branch January 22, 2024 12:17
@pralor-bot
Copy link

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/fix-pihole-ftl-help-output-for-gen-x509-option-with-domain-parameter/73622/1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yubiuser yubiuser yubiuser approved these changes

Assignees
No one assigned
Labels
API Pi-hole v6.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@DL6ER @pralor-bot @yubiuser