Make the certificate domain configurable (with Pi-hole webserver.domain auto-detection) (#11)

DrNefarius · web-flow · commit 9144323efa8c · 2026-06-02T19:33:45.000+02:00
diff --git a/README.md b/README.md
@@ -28,6 +28,12 @@ That installs the command to:
 
 Then it runs the setup flow (`local-https --install`) and offers auto-renew (systemd timer recommended).
 
+During the interactive install you are asked for a **domain name** to add to the certificate (default `pi.hole`). Pick whatever your network uses (e.g. `home.lan`, `dns.home`). To set it non-interactively, pass it as an environment variable:
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/luizbizzio/local-https/main/install.sh | sudo LOCAL_HTTPS_DOMAIN=home.lan bash
+```
+
 -----
 
 ## ✨ What it does
@@ -36,7 +42,7 @@ Then it runs the setup flow (`local-https --install`) and offers auto-renew (sys
 - 🪪 Issues a **server certificate** (default: **40 days**) with SANs for:
   - hostname
   - relevant LAN IPs (filtered)
-  - `pi.hole` when Pi-hole is detected
+  - a configurable **domain name** (default `pi.hole`)
   - Tailscale DNS name when available
 - 📦 Generates:
   - `server.pem` (cert + key, for services like Pi-hole)
@@ -63,6 +69,31 @@ Then it runs the setup flow (`local-https --install`) and offers auto-renew (sys
 
 -----
 
+## 🌐 Custom domain
+
+The certificate includes a friendly domain name (default `pi.hole`). If your network uses a different local domain, you can configure it. The chosen domain is added to the certificate SANs and is remembered across renewals (stored in the state file).
+
+The domain is resolved with the following precedence (highest first):
+
+1. **Environment variable** – `LOCAL_HTTPS_DOMAIN`:
+   ```bash
+   sudo LOCAL_HTTPS_DOMAIN=home.lan local-https --install
+   ```
+2. **CLI flag** – `--domain` (works with `--install`, `--configure`, and `--renew`):
+   ```bash
+   sudo local-https --install --domain home.lan
+   sudo local-https --configure --domain dns.home
+   ```
+3. **Persisted state** – whatever was chosen on the previous run (so renewals stay consistent).
+4. **Pi-hole auto-detection** – on a fresh install, if Pi-hole is detected the script reads its configured `webserver.domain` (via `pihole-FTL --config`, falling back to `/etc/pihole/pihole.toml`) and uses that as the default.
+5. **Default** – `pi.hole`.
+
+During an interactive `--install`/`--configure` you are also prompted, pre-filled with the resolved value (press Enter to keep it).
+
+To change the domain on an existing install, run `sudo local-https --configure --domain <name>` (or `sudo local-https --renew --force-renew --domain <name>`). The Root CA stays the same, so there is nothing new to trust on your devices.
+
+-----
+
 ## 🔁 Auto-renew (how it works)
 
 - 📅 The server certificate is issued for **40 days**.
diff --git a/install.sh b/install.sh
@@ -16,7 +16,7 @@ INSTALL_PATH="/usr/local/sbin/local-https"
 SOURCE_URL_DEFAULT="${REPO_RAW_BASE}/local-https.sh"
 SOURCE_URL="${LOCAL_HTTPS_SOURCE_URL:-$SOURCE_URL_DEFAULT}"
 
-EXPECTED_SHA256_DEFAULT="4b8578df5a86e9d66ef7911bfce91b4009fb9749864d309f267e34ceb4864733"
+EXPECTED_SHA256_DEFAULT="07fe2a6a55de638e07d1699886e48e55a19e2031b084cdfdaca4843733cf6960"
 EXPECTED_SHA256="${LOCAL_HTTPS_EXPECTED_SHA256:-$EXPECTED_SHA256_DEFAULT}"
 
 NONINTERACTIVE="${LOCAL_HTTPS_NONINTERACTIVE:-0}"
@@ -118,13 +118,15 @@ run_installer_interactive() {
       LOCAL_HTTPS_BOOTSTRAP=1 \
       LOCAL_HTTPS_NONINTERACTIVE="$NONINTERACTIVE" \
       LOCAL_HTTPS_AUTO_PIHOLE="${LOCAL_HTTPS_AUTO_PIHOLE:-}" \
+      LOCAL_HTTPS_DOMAIN="${LOCAL_HTTPS_DOMAIN:-}" \
       "$INSTALL_PATH" --install
   fi
 
   exec env \
     LOCAL_HTTPS_BOOTSTRAP=1 \
     LOCAL_HTTPS_NONINTERACTIVE=1 \
     LOCAL_HTTPS_AUTO_PIHOLE="${LOCAL_HTTPS_AUTO_PIHOLE:-}" \
+    LOCAL_HTTPS_DOMAIN="${LOCAL_HTTPS_DOMAIN:-}" \
     "$INSTALL_PATH" --install
 }
 
diff --git a/local-https.sh b/local-https.sh
@@ -52,6 +52,15 @@ INSTALL_PATH="/usr/local/sbin/local-https"
 SCRIPT_SOURCE_URL_DEFAULT="https://raw.githubusercontent.com/luizbizzio/local-https/main/local-https.sh"
 SCRIPT_SOURCE_URL="${LOCAL_HTTPS_SOURCE_URL:-$SCRIPT_SOURCE_URL_DEFAULT}"
 
+# Friendly domain name added to the certificate SANs (and used as the preferred
+# URL when Pi-hole is present). Configurable so it does not have to be "pi.hole".
+# Precedence at runtime:
+#   LOCAL_HTTPS_DOMAIN env > --domain CLI > persisted state > Pi-hole webserver.domain > default.
+DOMAIN_DEFAULT="pi.hole"
+DOMAIN=""
+DOMAIN_CLI=""
+DOMAIN_FROM_PIHOLE=0
+
 SSL_DIR="/etc/ssl/servercerts"
 CERT_GROUP="certs"
 
@@ -140,6 +149,87 @@ read_state_value() {
   state_unquote "$val" || true
 }
 
+sanitize_domain() {
+  local d="${1:-}"
+  d="$(printf '%s' "$d" | tr -d '[:space:]' | tr 'A-Z' 'a-z')"
+  d="${d#.}"
+  d="${d%.}"
+  case "$d" in
+    ""|*[!a-z0-9.-]*) printf '%s' ""; return 0 ;;
+  esac
+  printf '%s' "$d"
+}
+
+detect_pihole_domain() {
+  local d=""
+
+  if command -v pihole-FTL >/dev/null 2>&1; then
+    d="$(pihole-FTL --config webserver.domain 2>/dev/null | head -n1 || true)"
+  fi
+
+  if [ -z "$d" ] && [ -f "$PIHOLE_TOML" ]; then
+    d="$(awk '
+      /^[[:space:]]*\[webserver\][[:space:]]*$/ { inws=1; next }
+      /^[[:space:]]*\[/ { inws=0 }
+      inws==1 && /^[[:space:]]*domain[[:space:]]*=/ {
+        v=$0
+        sub(/^[^=]*=[[:space:]]*/, "", v)
+        sub(/[[:space:]]*#.*$/, "", v)
+        gsub(/^["'"'"']|["'"'"'][[:space:]]*$/, "", v)
+        print v
+        exit
+      }
+    ' "$PIHOLE_TOML" 2>/dev/null || true)"
+  fi
+
+  printf '%s' "$d"
+}
+
+resolve_domain() {
+  local d=""
+  DOMAIN_FROM_PIHOLE=0
+  if [ -n "${LOCAL_HTTPS_DOMAIN:-}" ]; then
+    d="$LOCAL_HTTPS_DOMAIN"
+  elif [ -n "${DOMAIN_CLI:-}" ]; then
+    d="$DOMAIN_CLI"
+  else
+    d="$(read_state_value domain)"
+    if [ -z "$d" ] && [ "${PIHOLE_PRESENT:-0}" -eq 1 ]; then
+      d="$(sanitize_domain "$(detect_pihole_domain)")"
+      if [ -n "$d" ]; then
+        DOMAIN_FROM_PIHOLE=1
+      fi
+    fi
+  fi
+  d="$(sanitize_domain "$d")"
+  [ -n "$d" ] || d="$DOMAIN_DEFAULT"
+  DOMAIN="$d"
+}
+
+maybe_prompt_domain() {
+  [ -n "${LOCAL_HTTPS_DOMAIN:-}" ] && return 0
+  [ -n "${DOMAIN_CLI:-}" ] && return 0
+  [ "$NONINTERACTIVE" -eq 1 ] && return 0
+  [ -t 0 ] || return 0
+
+  local current="${DOMAIN:-$DOMAIN_DEFAULT}"
+  local ans="" clean=""
+  while true; do
+    read -r -p "$(printf '%b' "\033[36m[?]\033[0m Certificate domain name (e.g. pi.hole, home.lan) [${current}]: ")" ans || ans=""
+    if [ -z "$ans" ]; then
+      DOMAIN="$current"
+      return 0
+    fi
+    clean="$(sanitize_domain "$ans")"
+    if [ -n "$clean" ]; then
+      DOMAIN="$clean"
+      out "\033[32m[✓]\033[0m Using domain: $DOMAIN"
+      return 0
+    fi
+    out "\033[33m[!]\033[0m Invalid domain. Use letters, digits, dots, and hyphens."
+  done
+}
+
 svc_active() {
   local name="$1"
   if has_systemctl; then
@@ -356,6 +446,7 @@ write_state() {
     echo "installed_at=$(sh_quote "$installed_at")"
     echo "last_run_at=$(sh_quote "$ts")"
     echo "hostname=$(sh_quote "${HOSTNAME:-$(hostname 2>/dev/null || true)}")"
+    echo "domain=$(sh_quote "${DOMAIN:-$DOMAIN_DEFAULT}")"
     echo "applied_targets=$(sh_quote "$applied")"
     echo "autorenew_method=$(sh_quote "$method")"
     echo "pihole_detected=$(sh_quote "${PIHOLE_PRESENT:-0}")"
@@ -483,20 +574,23 @@ remove_block() {
 print_help() {
   echo ""
   echo "Usage:"
-  echo "  $SCRIPT_CMD_NAME --install"
-  echo "  $SCRIPT_CMD_NAME --renew [--force-renew]"
+  echo "  $SCRIPT_CMD_NAME --install [--domain <name>]"
+  echo "  $SCRIPT_CMD_NAME --renew [--force-renew] [--domain <name>]"
   echo "  $SCRIPT_CMD_NAME --check"
   echo "  $SCRIPT_CMD_NAME --status"
   echo "  $SCRIPT_CMD_NAME --print-ca"
   echo "  $SCRIPT_CMD_NAME --print-pfx-pass"
   echo "  $SCRIPT_CMD_NAME --rotate-pfx-pass"
-  echo "  $SCRIPT_CMD_NAME --configure"
+  echo "  $SCRIPT_CMD_NAME --configure [--domain <name>]"
   echo "  $SCRIPT_CMD_NAME --uninstall [--yes] [--purge-certs]"
   echo ""
   echo "Notes:"
   echo "  - Running without args shows this help."
   echo "  - If already installed, --install will not run again."
   echo "  - Reinstall only via: --uninstall then --install"
+  echo "  - --domain sets the friendly name added to the certificate (default: $DOMAIN_DEFAULT)."
+  echo "    It is remembered across renewals. You can also set LOCAL_HTTPS_DOMAIN."
+  echo "    If Pi-hole is detected and no domain is set, its webserver.domain is used."
   echo ""
 }
 
@@ -715,6 +809,13 @@ read_host_identity() {
   HOSTNAME="$(hostname 2>/dev/null || true)"
   [ -n "$HOSTNAME" ] || HOSTNAME="localhost"
 
+  resolve_domain
+  if [ "$DOMAIN_FROM_PIHOLE" -eq 1 ]; then
+    out "\033[34m[i]\033[0m Detected Pi-hole web domain: $DOMAIN"
+  else
+    vout "\033[34m[i]\033[0m Domain: $DOMAIN"
+  fi
+
   collect_san_ips_from_hostname_i
 
   local ip_count=0
@@ -807,6 +908,7 @@ issue_or_renew_server_cert() {
 
   [ -n "${HOSTNAME:-}" ] || HOSTNAME="$(hostname 2>/dev/null || true)"
   [ -n "${HOSTNAME:-}" ] || HOSTNAME="localhost"
+  [ -n "${DOMAIN:-}" ] || resolve_domain
 
   cat << EOF > server-openssl.cnf
 [ req ]
@@ -828,18 +930,19 @@ DNS.1 = $HOSTNAME
 EOF
 
   local DNS_INDEX=2
-  
-  if [ "$HOSTNAME" != "pi.hole" ]; then
-    echo "DNS.${DNS_INDEX} = pi.hole" >> server-openssl.cnf
+  local DOMAIN_SHORT="${DOMAIN%%.*}"
+
+  if [ -n "$DOMAIN" ] && [ "$HOSTNAME" != "$DOMAIN" ]; then
+    echo "DNS.${DNS_INDEX} = $DOMAIN" >> server-openssl.cnf
     DNS_INDEX=$((DNS_INDEX + 1))
   fi
-  
-  if [ -n "$TAILSCALE_DNS" ] && [ "$TAILSCALE_DNS" != "null" ] && [ "$TAILSCALE_DNS" != "pi.hole" ] && [ "$TAILSCALE_DNS" != "$HOSTNAME" ]; then
+
+  if [ -n "$TAILSCALE_DNS" ] && [ "$TAILSCALE_DNS" != "null" ] && [ "$TAILSCALE_DNS" != "$DOMAIN" ] && [ "$TAILSCALE_DNS" != "$HOSTNAME" ]; then
     echo "DNS.${DNS_INDEX} = $TAILSCALE_DNS" >> server-openssl.cnf
     DNS_INDEX=$((DNS_INDEX + 1))
   fi
-  
-  if [ -n "$TAILSCALE_SHORT" ] && [ "$TAILSCALE_SHORT" != "null" ] && [ "$TAILSCALE_SHORT" != "$HOSTNAME" ] && [ "$TAILSCALE_SHORT" != "pi" ] && [ "$TAILSCALE_SHORT" != "pihole" ]; then
+
+  if [ -n "$TAILSCALE_SHORT" ] && [ "$TAILSCALE_SHORT" != "null" ] && [ "$TAILSCALE_SHORT" != "$HOSTNAME" ] && [ "$TAILSCALE_SHORT" != "$DOMAIN_SHORT" ]; then
     echo "DNS.${DNS_INDEX} = $TAILSCALE_SHORT" >> server-openssl.cnf
     DNS_INDEX=$((DNS_INDEX + 1))
   fi
@@ -907,8 +1010,8 @@ EOF
     for _ip in $FILTERED_IPS; do ip_count=$((ip_count + 1)); done
 
     local dns_list="$HOSTNAME"
-    if [ "$PIHOLE_PRESENT" -eq 1 ]; then
-      dns_list="$dns_list, pi.hole"
+    if [ -n "$DOMAIN" ] && [ "$DOMAIN" != "$HOSTNAME" ]; then
+      dns_list="$dns_list, $DOMAIN"
     fi
     if [ -n "$TAILSCALE_DNS" ] && [ "$TAILSCALE_DNS" != "null" ]; then
       dns_list="$dns_list, $TAILSCALE_DNS"
@@ -1158,7 +1261,7 @@ deploy_pihole_ftl_tls() {
 choose_preferred_dns() {
   local d=""
   if [ "${PIHOLE_PRESENT:-0}" -eq 1 ]; then
-    d="pi.hole"
+    d="${DOMAIN:-$DOMAIN_DEFAULT}"
   fi
   if [ -z "$d" ] && [ -n "${TAILSCALE_DNS:-}" ] && [ "${TAILSCALE_DNS:-}" != "null" ]; then
     d="$TAILSCALE_DNS"
@@ -1755,6 +1858,7 @@ status() {
     echo "- State file: present ($STATE_FILE)"
     echo "- Installed at: $(read_state_value installed_at)"
     echo "- Last run at: $(read_state_value last_run_at)"
+    echo "- Domain: $(read_state_value domain)"
     echo "- Applied targets: $(read_state_value applied_targets)"
     echo "- Auto renew method: $(read_state_value autorenew_method)"
     echo "- Cert renewed last run: $(read_state_value cert_renewed)"
@@ -1908,6 +2012,8 @@ renew_flow() {
   HOSTNAME="$(hostname 2>/dev/null || true)"
   [ -n "$HOSTNAME" ] || HOSTNAME="localhost"
 
+  resolve_domain
+
   collect_san_ips_from_hostname_i
 
   TAILSCALE_DNS=""
@@ -2015,6 +2121,7 @@ configure_flow() {
 
   detect_pihole_and_technitium
   read_host_identity
+  maybe_prompt_domain
   prepare_dir
 
   [ -f "$CA_CRT" ] && [ -f "$CA_KEY" ] || create_or_reuse_ca
@@ -2068,6 +2175,7 @@ install_flow() {
 
   detect_pihole_and_technitium
   read_host_identity
+  maybe_prompt_domain
   prepare_dir
   create_or_reuse_ca
   issue_or_renew_server_cert
@@ -2094,6 +2202,14 @@ parse_cli() {
       ;;
     --install)
       shift
+      while [ "$#" -gt 0 ]; do
+        case "$1" in
+          --domain) DOMAIN_CLI="${2:-}"; shift 2 || shift; continue ;;
+          --domain=*) DOMAIN_CLI="${1#*=}" ;;
+          *) ;;
+        esac
+        shift
+      done
       install_flow
       exit 0
       ;;
@@ -2102,6 +2218,8 @@ parse_cli() {
       while [ "$#" -gt 0 ]; do
         case "$1" in
           --force-renew) FORCE_RENEW=1 ;;
+          --domain) DOMAIN_CLI="${2:-}"; shift 2 || shift; continue ;;
+          --domain=*) DOMAIN_CLI="${1#*=}" ;;
           *) ;;
         esac
         shift
@@ -2131,6 +2249,14 @@ parse_cli() {
       ;;
     --configure)
       shift
+      while [ "$#" -gt 0 ]; do
+        case "$1" in
+          --domain) DOMAIN_CLI="${2:-}"; shift 2 || shift; continue ;;
+          --domain=*) DOMAIN_CLI="${1#*=}" ;;
+          *) ;;
+        esac
+        shift
+      done
       configure_flow
       exit 0
       ;;
