I'm trying to set up my two OpenWRT routers to use letsencrypt certificates for LuCI. I have full IPv6 and unique routable IPs, but understandably do not want to open up port 80 to the outside world, so what I'm doing is this:
The first entry on this, Matoya [::10], is running OpenMediaVault (Debian) and doing renewals with certbot standalone with http01_port set to 8080. This one worked and proved the concept. I, of course, have AAAA records for each subdomain I want to create certs for, pointing directly to the devices public IPv6 addresses. My DNS provider, unfortunately, does not provide an update API so I have to use the HTTP challenge.
My main router is Etheirys [::1] IEI Puzzle M902. I also have an OpenWRT access point Hydaelyn [::2] Redmi AX6S
On both of these I installed luci-app-acme and set it to standalone, following the wiki I then edited acme.sh and changed Le_HTTPPort to 8080 and added the following firewall rule on Hydaelyn [::2]:
(I've tried a few variants of it)
Contents of /etc/admin/hydaelyn.[DOMAIN].uk/hydaelyn.[DOMAIN].conf:
Le_Domain='hydaelyn.[DOMAIN]'
Le_Alt='no'
Le_Webroot='no'
Le_PreHook='__ACME_BASE64__START_[BASE64STRING]__ACME_BASE64__END_'
Le_PostHook=''
Le_RenewHook='__ACME_BASE64__START_[BASE64STRING]__ACME_BASE64__END_'
Le_API='https://acme-v02.api.letsencrypt.org/directory'
Le_HTTPPort='8080'
Le_Keylength='2048'
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/[NUMBER]/[NUMBER]'
running service acme start with debug enabled outputs a lot, but this is the error that comes back from LetsEncrypt:
Invalid status, hydaelyn.[DOMAIN]:Verify error detail:2a0e:xxxx:xxxx:xxxx::2: Fetching http://hydaelyn.[DOMAIN]/.well-known/acme-challenge/hbbO58nHHYF6hOM5eb_oSwJmi-v-c922zgUtaEFdwU8: Connection refused