Access LUCI by a secure HTTPS connection

Hi all,

My goal is to reach LUCI interface of my 3 Openwrt devices by a secure HTTPS connection instead of the standard HTTP. I access LUCI always from the same two clients so adding a certificate in the Brave browser is no problem (access need from a Windows and Android device).

I have tried multiple methods all without a proper result. My question now is what is the easiest way to setup a HTTPS connection to your LUCI interface? I prefer to have a one set and forget onetime setup without a yearly expiry of self-signed certificates. I don’t own an domain name to use with Let’s encrypt. I do use a DDNS link from my main router to a duckdns.org name.

Options already tried (without success) the warning remains ‘Your connection is not private’;

First option tried:

As per wiki for new openwrt devices: https://openwrt.org/docs/guide-user/luci/luci.secure

uci set uhttpd.main.redirect_https=1     # 1 to enable redirect, 0 to disable redirect

uci commit uhttpd

service uhttpd reload

I am not sure if extra steps were required to create a self-signed certificate or load it into your browser?

Second try (in the past this would work on my older openwrt devices but I had a yearly expiry):

https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings

Make a self trusted openssl certicate, connect it to luci Uhttpd and load the certificate in your client browsers.

Third try:

Use the XCA tool to take a self-signed certificate and load in manual in uhttpd as explained in this video. https://www.youtube.com/watch?v=Z81jegMCrfk

https://hohnstaedt.de/xca/ tool

A new option I came across is use a duckdns free domain name, and create let’s encrypt and run a Nginx Proxy manger on an extra linux server. As per this video. Disadvantage is an extra server in your network is required and a DNS server to have access you’re your internet is down: https://www.youtube.com/watch?v=qlcVx-k-02E

onetime setup without a yearly expiry of self-signed certificates

Not possible at all… See cab forum baseline 2.1.7 → 6.3.2 Certificate operational periods and key pair usage periods

Typically you “dont have to do anything” for https: to work out of the box.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/uhttpd

DDNS should be enough for a public acme.sh cert ?

This is the output of the two commands:

root@Flint2AP:~# ubus call system board
{
"kernel": "6.6.93",
"hostname": "Flint2AP",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.2",
"revision": "r28739-d9340319c6",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.2 r28739-d9340319c6",
"builddate": "1750711236"
}
}
root@Flint2AP:~# cat /etc/config/uhttpd

config uhttpd 'main'
list listen_http '0.0.0.0:80'
list listen_http '[::]:80'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
option redirect_https '0'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option cgi_prefix '/cgi-bin'
list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
option ubus_prefix '/ubus'

config cert 'defaults'
option days '397'
option key_type 'ec'
option bits '2048'
option ec_curve 'P-256'
option country 'ZZ'
option state 'Somewhere'
option location 'Unknown'
option commonname 'OpenWrt'

When I try to enable by commands:

uci set uhttpd.main.redirect_https=1
uci commit uhttpd
service uhttpd reload

And reload my access point the LUCI interface I get message in my browser:

image590×396 7.23 KB

Have you installed the luci-ssl (not 100% sure of the name) package ?

Yes from LUCI-system-software I can see luci-ssl is installed (was default on my fresh image 24.10.2).

Here’s guide to have “real” letsencrypt ssl certificates on your luci using acme-dns.
Please note that you MUST own some domain name and be able to create CNAME DNS records for it’s subdomains.

https://wiki.fil.guru/t/openwrt-acmedns-tls

Thanks for your reply. As I don’t own a full domain name is this something that will work with a free domain service as duckdns.org? And how will this work for multiple access points? (as I currently have only one duckdns.org DDNS service running for only my main router (e.g. myname.duckdns.org) and not for all my access points?)

I really do not understand your struggles. https: listener is on by default, self sigbed certificate, no configuration needed whatsoever.

In this case, I think "secure HTTPS connection" means a publicly-valid certificate.

All the user has to do is note the serial number of the self-signed cert for reference when connecting in the future.

Well, if you read cab forum spec, no eternal certificates in this world in this century.

What about a pragmatic approach, in the sense of just accepting the bad cert once (per device)?

DDNS and letsencrypt is an option, but gets really ugly once you have multiple devices to take care of (unless you go IPv6-only, which is an option) and requires at least some internet-side accessibility to your uhttpd instance (not recommended at all).

A self-signed CA and your own certs is possible, but at least I wouldn't want to take care of the CA deployment around all of my (client-) devices (too many, too many different approaches, possible, but really inconvenient). On top of that the private CA isn't exactly improving security, unless you treat it veeery carefully.

Yes, I realize that this situation sucks for LAN-only devices, both in the sense of certs/ cert deployment and browsers increasingly disliking unencrypted http and self-signed certs, but at least for me the approach of accepting the self-signed cert once (per client/ per renewal time frame) is the least problematic approach.

EDIT: I got it working again. The main problem was I misinterpreted DNS.1 in my self-signed certificates. I used the actual DNS IP instead on my DNS hostname. This DNS hostname I verified with nslookup to the IP were needed the certificate for. E.g. nslookup 192.168.178.48. Then I insured the IP and the correct DNS.1 host name is used in my self-signed certificate. The DNS hostname I also use and CN name option. Now I can make new self certificates with openssl and with a tool as XCA.

And to answer my other question. You don’t need any luci-app-uhttpd you can just overwrite the files

/etc/uhttpd.crt
/etc/uhttpd.key

service uhttpd reload

And active the HTTPS redirect by:

uci set uhttpd.main.redirect_https='1'
uci commit uhttpd
service uhttpd reload

As guidance this wiki was helpful: https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings

And this explanation OneMarcFifty Certificates incl XCA use https://www.youtube.com/watch?v=Z81jegMCrfk

This is wrong. I have certifictes that expire in 6024

safari makes you click past warning every time you encounter too valid cert….

Safari doesn't support half of the content on the internet, let alone basic regex, and a host of other features. I'm shocked that anyone still uses it.

Regarding the other option, I progressed from trying to do everything on my router to using an old netbook as a debian server (to now two mini PCs and proxmox). I run Nginx Proxy Manager in Docker. I don’t need a separate DNS server for offline access, I use OpenWRT’s wildcard DNS features. I do have a separate DNS server (on the server) solely to resolve to Tailscale addresses, so that my subdomains work seamlessly from anywhere.

As for domains, I would just buy the 1 year discount scam price (~1$) and throw it away after the year. This is a cheap option unless you have dozens and dozens of subdomains you’ll need to migrate every year. Nginx PM can use DNS challenge to get wildcard certs and auto-renew.

I have almost the same requirements / i have set it up using luci-ssl and redirect_https=1 and works great.

How do i generate new keys manually ? Or should i switch to px5g-mbedtls to easily generate new keys when needed?

Delete the old keys, restart the service?

what service do you mean ? uhttpd ?