Pi-Hole & Let’s Encrypt (2025)

Pi-Hole v6 stops using lighttpd and has it’s own internal web server, so this means a change getting Let’s Encrypt certificates deployed. Having finally upgraded my Pi-Hole install to v6, I needed to tidy this up.

We no longer need acme.sh to renew the lighttpd certificate, so to see the current renewal job, run:

acme.sh --list

Pi-Hole needs the certificate and private key in a single file (much like the original lighttpd), so the acme.sh installation job needs to concatenate the two files together, having removed the old certificate file from the Pi-Hole folder. The last step is to restart the Pi-Hole UI.

The two parameters to change below are, as usual, pihole.mylab.domain to the FQDN of your Pi-Hole server.

acme.sh --install-cert -d pihole.mylab.domain \
  --reloadcmd "sudo rm -f /etc/pihole/tls* && \
  sudo cat fullchain.cer pihole.mylab.domain.key | sudo tee /etc/pihole/tls.pem && /
  sudo service pihole-FTL restart"

To ensure Pi-Hole has the correct FQDN configured, you can set this from the CLI as well:

sudo pihole-FTL --config webserver.domain 'pihole.mylab.domain'
sudo service pihole-FTL restart

To check this from the Pi-Hole UI, login and go to Settings > Web Interface. Enable “Expert Mode” in the top right corner of the UI, then click the new option which has appeared into the left menu bar of “All Settings”. Then the top menu bar of “Webserver & API” – the top item should be webserver.domain and be your FQDN.

You can also change the default webserver ports here if you had a problem killing lighttpd and Pi-Hole started listening on a different port from TCP443.