I run multiple pi-holes on Raspberry Pis w/o issue, including protecting the WebUI session with SSLs.
Curiously, while my copy of the TrueNAS pihole App (version v1.3.15) seems to have provisions for HTTPS (see HTTPS port mentioned in the setup page), there doesn’t seem to be a way to integrate a SSL certificate into the TrueNAS pihole app the way there is for other apps like Unifi.
Is this intentional or a weird oversight? Is a reverse proxy with a wildcard SSL certificate the only way to secure the present pihole App?
Nope–it just creates a self-signed cert that’s good for 30 years, and uses that. Kind of a remarkable oversight–but no need to rehash my thoughts on apps as a whole.
It doesn’t have to be a wildcard (your proxy could create individual certs for each of the services it proxies), though that’s probably the easiest way to do it.
It looks like the cert it creates is stored at /etc/pihole/tls.pem inside the container (stored in the nonsensical format HAproxy likes, with the private key and the cert concatenated together in a single file). I suppose you could put a cert somewhere on your pool, and mount that to the container as a host path.
I decided to use a weekly cron job as described. The first removes the old certificate, the second bit builds the new one based on the SSL certificates that TrueNAS pulls for me.
Note: however, you ideally want to launch pihole in advance and set the hostname first using the GUI. You can make similar changes via the CLI/vi/nano/whatever, but only if you are familiar with the very specific syntax that pihole uses inside the pihole.toml config file to denote such changes.
Only once the instance of Pihole has a hostname inside pihole.toml that matches the certificate replace tsl.pem or the pihole App will be stuck in Deploying mode forever when you try to start it.
Hmm i guess i prefer the easy way: placing everything - regardless of it being accessible from WAN or LAN behind a reverse proxy and let the proxy decide which wildcard certificate to present to the client. Internal CA generated for LAN or Lets Encrypt for WAN depending on the FQDN.
Renewal of WAN cert is done via acme and the internal is valid for 10 years or such (ADCS) - maybe i should try ACME-ADCS-Server some day tho.
