Acme.sh opkg vs github Lets-encrypt

woeisme · December 22, 2019, 4:55pm

What is the best method for using acme on a new LEDE 18.06 router (WNDR3700v1).
I installed acme.sh from opkg but I'm not able to get it to issue certificates for my domain. logread complains about:

Sun Dec 22 16:51:44 2019 daemon.err run-acme[3482]: acme: port80 listens: 2716/uhttpd 2716/uhttpd
Sun Dec 22 16:51:44 2019 daemon.debug acme: Found uhttpd listening on port 80; trying to disable.
Sun Dec 22 16:51:44 2019 daemon.err run-acme[3482]: acme: Found uhttpd listening on port 80; trying to disable.
Sun Dec 22 16:51:45 2019 daemon.debug acme: Found uhttpd listening on port 80; trying to disable.
Sun Dec 22 16:51:45 2019 daemon.err run-acme[3482]: acme: Found uhttpd listening on port 80; trying to disable.
Sun Dec 22 16:51:45 2019 daemon.err run-acme[3482]: uci: Entry not found
Sun Dec 22 16:51:45 2019 daemon.err acme: LEDE.damnfbi.tk: Unable to find uhttpd listen config.
Sun Dec 22 16:51:45 2019 daemon.err run-acme[3482]: acme: LEDE.EXAMPLE.COM: Unable to find uhttpd listen config.
Sun Dec 22 16:51:45 2019 daemon.err acme: Manually disable uhttpd or set webroot to continue.
Sun Dec 22 16:51:45 2019 daemon.err run-acme[3482]: acme: Manually disable uhttpd or set webroot to continue.

While I seem to have acme.sh installed under /usr/lib/acme/acme.sh I can't run it without errors and it doesn't show up when I try to run 'acme.sh' from the cli . Is there a good tutorial somewhere on configuration when using the opkg acme package?

mikma · December 22, 2019, 5:14pm

You could change uhttpd to listen on another port than 80, or listen only to specific IP addresses (such as lan addresses) instead of 0.0.0.0 or [::].

stangri · December 23, 2019, 10:38am

I use the acme package from repo (but I use it manually without OpenWrt config) and DNS-based authentication.

woeisme · December 23, 2019, 10:23pm

Maybe you could tell me what I'm doing wrong?

What steps did you follow using the package from the opkg repo?

stangri · December 23, 2019, 10:43pm

Yes, you're trying to invoke acme.sh with parameters which make it try to start its own web-server on port 80, while uhttpd is already running on port 80.

Like I said I use it manually without the init script supplied by the OpenWrt package. Here's my script to install/update certs. Like I also said, I use the dns-based authentication and not the http request to port 80 (as I don't want to explose luci to the internet).

#!/bin/sh
HOST="$(uci -q get system.@system[0].hostname | tr "A-Z" "a-z")"
[ -n "$HOST" ] || exit 0
/bin/ping -W 2 -w 2 -c 1 google.com >/dev/null 2>&1 || /bin/sleep 60
if [ -s "/etc/acme/${HOST}.domain.com/${HOST}.domain.com.key" ] && \
   [ -s "/etc/acme/${HOST}.domain.com/${HOST}.domain.com.cer" ] && \
   [ "$(uci -q get uhttpd.main.key)" == "/etc/acme/${HOST}.domain.com/${HOST}.domain.com.key" ] && \
   [ "$(uci -q get uhttpd.main.cert)" == "/etc/acme/${HOST}.domain.com/${HOST}.domain.com.cer" ]; then
  		/usr/lib/acme/acme.sh --cron --home "/etc/acme" --reloadcmd "/etc/init.d/uhttpd restart"
else
	rm -rf /etc/acme/${HOST}.domain.com >/dev/null 2>&1
  CF_Key='*****' CF_Email='*****' /usr/lib/acme/acme.sh --home "/etc/acme" --issue --dns dns_cf -d ${HOST}.domain.com
	if [ -s "/etc/acme/${HOST}.domain.com/${HOST}.domain.com.key" ] && \
     [ -s "/etc/acme/${HOST}.domain.com/${HOST}.domain.com.cer" ]; then
		uci set uhttpd.main.key="/etc/acme/${HOST}.domain.com/${HOST}.domain.com.key"
		uci set uhttpd.main.cert="/etc/acme/${HOST}.domain.com/${HOST}.domain.com.cer"
		uci commit uhttpd
		/etc/init.d/uhttpd restart
	fi
fi
sed -i '\|/etc/init.d/acme start|d' /etc/crontabs/root

jvasileff · September 7, 2020, 4:21pm

This looks like the same bug I ran into. Notice that the first line in your log has 2716/uhttpd listed twice, and then runs trying to disable twice.

The workaround is to have uhttpd listen only on ipv4's port 80, and not ipv6 port 80.

See https://github.com/openwrt/packages/issues/13325

woeisme · November 7, 2020, 10:57pm

Would I not be running uhttpd on 443 ?

stangri · November 7, 2020, 11:31pm

It's a mystery which can only be solved if you post your /etc/config/uhttpd file.

woeisme · November 7, 2020, 11:36pm

Than I shall do so!

config uhttpd 'main'
        option redirect_https '1'
        option home '/www'
        option max_requests '3'
        option max_connections '100'
        option cgi_prefix '/cgi-bin'
        list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
        option script_timeout '60'
        option network_timeout '30'
        option http_keepalive '20'
        option tcp_keepalive '1'
        option rfc1918_filter '0'
        option key 'BLANKED'
        option cert 'BLANKED'
        list listen_https '192.168.1.1:443'
        list listen_https '[::]:443'

config cert 'defaults'
        option days '730'
        option bits '2048'
        option state 'Somewhere'
        option location 'Unknown'
        option commonname 'lede'
        option country 'IS'

stangri · November 8, 2020, 11:54pm

If that's your config, it's surprising that uhttpd is still running on port 80.