Setting up HTTPS on my home lab

Introduction

This is the third part of my physical network engineering home lab series of blogs. In this blog I will be sharing how I set up SSL on my home lab and then accessed locally hosted services without a warning in the browser.

And no I am not buying a domain like a lot of YouTubers do, I am going to use mkcert to manage the SSL certificates and install the certificate on each client device and make HTTPS work with no warning from the browser. I chose mkcert because manually configuring openssl certificates and maintaining a certificate hierarchy is tedious for a home lab.

The goal of enabling HTTPS is to securely access the Pi-hole admin panel, and other locally hosted services in the home lab.

Side note: SSL is deprecated and replaced with TLS but the term SSL certificates is used in slang and I will be going with that in this blog

Requirements

1. A Linux machine

2. package libnss3-tools
   

   sudo apt install libnss3-tools
   

3. package mkcert. For Linux Mint you can download via apt
   

   sudo apt install mkcert
   

   but if it is not available via apt you have to download it from GitHub

   Steps

Creating rootCA

This is the highest in the hierarchy of certificates and we will be copying the root certificate to other devices to make them work with HTTPS.

1. On your client machine (not the server), run
   

   mkcert -install
   

2. After it is installed, run
   

   mkcert -CAROOT
   

3. This will print the directory where the root key and the root certificate is stored. Make a note of it.
   

gray@OMEN-Slim-Gaming-Laptop-16:~/home-lab-tls$ mkcert -install
Created a new local CA 💥
The local CA is now installed in the system trust store! ⚡️
The local CA is now installed in the Firefox and/or Chrome/Chromium trust store (requires browser restart)! 🦊

gray@OMEN-Slim-Gaming-Laptop-16:~/home-lab-tls$ mkcert -CAROOT
/home/gray/.local/share/mkcert
gray@OMEN-Slim-Gaming-Laptop-16:~/home-lab-tls$ 

Creating Certificates

1. In a separate directory, run the following command. 2 files will be stored on that current directory which you will need to copy to the server.
   

   mkcert domain-name.internal
   

   I have created only for pi.hole because that is the only service I want to secure right now.
   

gray@OMEN-Slim-Gaming-Laptop-16:~/home-lab-tls$ mkcert pi.hole

Created a new certificate valid for the following names 📜
 - "pi.hole"

The certificate is at "./pi.hole.pem" and the key at "./pi.hole-key.pem" ✅

It will expire on 8 June 2028 🗓

gray@OMEN-Slim-Gaming-Laptop-16:~/home-lab-tls$ ls
pi.hole-key.pem  pi.hole.pem
gray@OMEN-Slim-Gaming-Laptop-16:~/home-lab-tls$ 

1. Combine those 2 files along with the rootCA.pem in this specific order

cat pi.hole-key.pem pi.hole.pem  $(mkcert -CAROOT)/rootCA.pem > pi.hole-combined.pem

1. Copy the combined file to the server, into the directory /etc/pihole
2. On the server, make sure the file is owned by user and group pihole and only the owner can read/write to it.

sudo chown pihole:pihole pi.hole-combined.pem                 
sudo chmod 600 pi.hole-combined.pem 

Pointing the Pi-hole server to use these certificates

Edit this section in /etc/pihole/pihole.toml as shown

  [webserver.tls]
    # Path to the TLS (SSL) certificate file.
    #
    # All directories along the path must be readable and accessible by the user running
    # FTL (typically 'pihole'). This option is only required when at least one of
    # webserver.port is TLS. The file must be in PEM format, and it must have both,
    # private key and certificate (the *.pem file created must contain a 'CERTIFICATE'
    # section as well as a 'RSA PRIVATE KEY' section).
    #
    # The *.pem file can be created using `cp server.crt server.pem && cat server.key >>
    # server.pem` if you have these files instead
    #
    # Allowed values are:
    #     A valid TLS certificate file (*.pem)
    cert = "/etc/pihole/pi.hole-combined.pem"

    # Number of days the automatically generated self-signed TLS/SSL certificate will be
    # valid for.
    #
    # Defaults to 47 days. A minimum of 7 days is enforced.
    # Some devices may enforce shorter validity ranges. Note that defining a lower
    # validity range may require you to accept the self-signed certificate more often in
    # your browser.
    # Pi-hole will regenerate certificates it created itself two days prior to expiration.
    # If you are using your own certificate, you need to regenerate it yourself. In this
    # case, it is advised to set the validity range to 0 days, so that Pi-hole does not
    # try to regenerate your certificate. If you set the validity range to 0 days and
    # still try to generate a certificate, Pi-hole will set a fixed validity range of
    # roughly 30 years for the certificate.
    validity = 0

Replace cert variable with where you stored the combined certificate, and then restart Pi-hole.

sudo service pihole-FTL restart

Side Note: If nginx is running, disable it. Pi-hole's FTL has a built-in web server that handles TLS directly - Nginx will conflict with it on port 80/443.

sudo systemctl disable nginx --now

Verifying HTTPS on current device

Open https://pi.hole in the browser of the device you ran mkcert -install command on.

Verifying it on other devices

Copy the file $(mkcert -CAROOT)/rootCA.pem to other devices, and import to the device's certificates (instructions vary for each device, Google it) store and then open https://pi.hole on the browser.

Conclusion

The Pi-hole admin panel is now accessible over HTTPS with a trusted certificate - no browser warnings, no exceptions. Any other device on the network can be added by copying the rootCA.pem and importing it into the system trust store.

From here, the physical lab has DNS, ad-blocking, and HTTPS in place.