So, you’ve got a Pi-hole. Congratulations, you’ve taken your first step toward not being followed by a thousand ad trackers. But are you browsing your Pi-hole dashboard over HTTP like a total peasant? Stop it. Seriously.
This script, makes it stupid easy to secure your Pi-hole with HTTPS using Let's Encrypt, DNS validation, and the magical powers of acme.sh. Works with both regular and Docker Pi-hole setups because inclusivity matters.
TL;DR: Run a script. Get SSL. Feel fancy. Maybe cry tears of joy. Or frustration. Depends on your DNS provider.
- Overview
- Features
- Stuff You Gotta Have
- DNS Avenger Providers
- Install Me Baby
- Use It or Lose It
- Fancy Configs
- Dockerheads Unite
- Auto-Magic Renewals
- Things That Go Boom
- Security-ish
- Contribute or Else
- License Stuff
- Credits & Thanks-for-All-the-Fish
You want HTTPS. I want tacos. Let’s meet in the middle.
This script automagically sets up HTTPS on your Pi-hole admin interface using Let’s Encrypt and DNS validation — even if your Pi-hole is chilling behind a NAT like it’s hiding from John Wick.
It works on bare metal, in Docker, and possibly in the Quantum Realm (not tested).
- 💥 One-command HTTPS setup
- 🧙 DNS validation with eight mystical DNS providers
- 🐳 Docker support, because containerization is sexy
- 🔄 Auto-renewal, because remembering things is for chumps
- 🔐 ECC certs because... math
- 🧑🎤 Interactive setup wizard that holds your hand like a scared raccoon
Before we ride this unicorn, you’ll need:
- A working Pi-hole (duh)
- A domain or subdomain aimed squarely at your Pi-hole
- DNS provider API creds (no stealing!)
- A bash shell and
curlinstalled - Enough permission mojo to mess with your Pi-hole config
We got ‘em all. Well, at least the cool ones:
- Cloudflare (bring your API token, not your drama)
- Namecheap (username, API key, source IP… and a love letter)
- GoDaddy (key + secret = 🔓)
- AWS Route53 (keys or credential files, you choose your poison)
- DigitalOcean (token, please)
- Linode (yep, also token)
- Google Cloud DNS (service account JSON file — it’s a party)
- deSEC (token, once again)
curl -O https://raw.githubusercontent.com/PrimePoobah/Pihole_V6_Lets_Encrypt_SSL_Setup_Script/refs/piholev6-ssl-setup.sh
chmod +x piholev6-ssl-setup.sh
./piholev6-ssl-setup.shWhen you run this magnificent beast:
- It detects Docker (because it’s psychic)
- Asks for your domain (e.g.,
pihole.yourcooldomain.com) - Gets your email (for Let's Encrypt. No spam. Probably.)
- Asks which DNS god you worship
- Collects your API soul… I mean credentials
- Installs
acme.shif it’s slacking - Gets your certificate 🎉
- Configures Pi-hole to use it
- Sets up auto-renewal so you can forget this ever happened
No YAML, no BS. It’ll ask you things like:
- Your domain
- Your email
- Your DNS provider
- Your API credentials
You answer. It obeys. Like a good intern.
Using Docker? You Rockstar. No problem.
- It asks for your container name (
piholeby default, don’t be a maverick) - Copies certs into the container
- Tells Pi-hole to behave with HTTPS
- Hooks into renewals like a cybernetic octopus
Example nerd-fu:
docker cp /path/to/tls.pem pihole:/etc/pihole/tls.pem
docker exec pihole pihole-FTL --config webserver.domain your-domain.com
docker exec pihole service pihole-FTL restartBecause who wants to do anything manually?
This script:
- Sets a cron job to check every 60 days-ish
- Renews when it’s close to expiry
- Installs the new cert
- Restarts
pihole-FTLlike a champ
Manual override?
~/.acme.sh/acme.sh --renew -d your-domain.com --forceCan’t get a cert?
- Check your DNS API creds
- Verify your DNS settings
- Sacrifice a virtual goat? (not required, but might help)
HTTPS not working?
- Check your files:
ls -l /etc/pihole/tls.pem - Read the logs:
sudo systemctl status pihole-FTL - Verify DNS is pointed correctly
Docker crying?
- Check your container name
- Verify paths
- Read those juicy
docker logs pihole
Because I care about your bits:
- API creds are stored temporarily
- Docker copies are done internally
- Only give API tokens the bare minimum rights
- Use restricted service accounts if you’re an AWS/Google ninja
Wanna help? Sweet.
- Fork the repo
git checkout -b feature/deadpool-does-ssl- Make your changes. Go wild.
git commit -m "Made it 1000% cooler"git push origin feature/deadpool-does-ssl- Open a PR. I'll bring the tacos.
MIT. Do whatever. But if it breaks, you get to keep both halves.
This project wouldn't be possible without the following open-source projects and contributors:
- Pi-hole: Because ads suck.
- acme.sh: Shell-fu for SSL magic.
- Let's Encrypt: Saving the internet one free cert at a time.
- mplabs: For adding deSEC support and increasing the awesome.
“This is not officially affiliated with Pi-hole, but it’s got a whole lotta love for it.”
🧨 Now go secure your Pi-hole like a cyber-ninja.