Acme.sh opkg vs github Lets-encrypt

What is the best method for using acme on a new LEDE 18.06 router (WNDR3700v1).
I installed acme.sh from opkg but I'm not able to get it to issue certificates for my domain. logread complains about:

Sun Dec 22 16:51:44 2019 daemon.err run-acme[3482]: acme: port80 listens: 2716/uhttpd 2716/uhttpd
Sun Dec 22 16:51:44 2019 daemon.debug acme: Found uhttpd listening on port 80; trying to disable.
Sun Dec 22 16:51:44 2019 daemon.err run-acme[3482]: acme: Found uhttpd listening on port 80; trying to disable.
Sun Dec 22 16:51:45 2019 daemon.debug acme: Found uhttpd listening on port 80; trying to disable.
Sun Dec 22 16:51:45 2019 daemon.err run-acme[3482]: acme: Found uhttpd listening on port 80; trying to disable.
Sun Dec 22 16:51:45 2019 daemon.err run-acme[3482]: uci: Entry not found
Sun Dec 22 16:51:45 2019 daemon.err acme: LEDE.damnfbi.tk: Unable to find uhttpd listen config.
Sun Dec 22 16:51:45 2019 daemon.err run-acme[3482]: acme: LEDE.EXAMPLE.COM: Unable to find uhttpd listen config.
Sun Dec 22 16:51:45 2019 daemon.err acme: Manually disable uhttpd or set webroot to continue.
Sun Dec 22 16:51:45 2019 daemon.err run-acme[3482]: acme: Manually disable uhttpd or set webroot to continue.

While I seem to have acme.sh installed under /usr/lib/acme/acme.sh I can't run it without errors and it doesn't show up when I try to run 'acme.sh' from the cli . Is there a good tutorial somewhere on configuration when using the opkg acme package?

You could change uhttpd to listen on another port than 80, or listen only to specific IP addresses (such as lan addresses) instead of 0.0.0.0 or [::].

https://openwrt.org/docs/guide-user/services/webserver/uhttpd?s[]=uhttpd

I use the acme package from repo (but I use it manually without OpenWrt config) and DNS-based authentication.

Maybe you could tell me what I'm doing wrong?

What steps did you follow using the package from the opkg repo?

Yes, you're trying to invoke acme.sh with parameters which make it try to start its own web-server on port 80, while uhttpd is already running on port 80.

Like I said I use it manually without the init script supplied by the OpenWrt package. Here's my script to install/update certs. Like I also said, I use the dns-based authentication and not the http request to port 80 (as I don't want to explose luci to the internet).

#!/bin/sh
HOST="$(uci -q get system.@system[0].hostname | tr "A-Z" "a-z")"
[ -n "$HOST" ] || exit 0
/bin/ping -W 2 -w 2 -c 1 google.com >/dev/null 2>&1 || /bin/sleep 60
if [ -s "/etc/acme/${HOST}.domain.com/${HOST}.domain.com.key" ] && \
   [ -s "/etc/acme/${HOST}.domain.com/${HOST}.domain.com.cer" ] && \
   [ "$(uci -q get uhttpd.main.key)" == "/etc/acme/${HOST}.domain.com/${HOST}.domain.com.key" ] && \
   [ "$(uci -q get uhttpd.main.cert)" == "/etc/acme/${HOST}.domain.com/${HOST}.domain.com.cer" ]; then
  		/usr/lib/acme/acme.sh --cron --home "/etc/acme" --reloadcmd "/etc/init.d/uhttpd restart"
else
	rm -rf /etc/acme/${HOST}.domain.com >/dev/null 2>&1
  CF_Key='*****' CF_Email='*****' /usr/lib/acme/acme.sh --home "/etc/acme" --issue --dns dns_cf -d ${HOST}.domain.com
	if [ -s "/etc/acme/${HOST}.domain.com/${HOST}.domain.com.key" ] && \
     [ -s "/etc/acme/${HOST}.domain.com/${HOST}.domain.com.cer" ]; then
		uci set uhttpd.main.key="/etc/acme/${HOST}.domain.com/${HOST}.domain.com.key"
		uci set uhttpd.main.cert="/etc/acme/${HOST}.domain.com/${HOST}.domain.com.cer"
		uci commit uhttpd
		/etc/init.d/uhttpd restart
	fi
fi
sed -i '\|/etc/init.d/acme start|d' /etc/crontabs/root
1 Like

This looks like the same bug I ran into. Notice that the first line in your log has 2716/uhttpd listed twice, and then runs trying to disable twice.

The workaround is to have uhttpd listen only on ipv4's port 80, and not ipv6 port 80.

See https://github.com/openwrt/packages/issues/13325

Would I not be running uhttpd on 443 ?

It's a mystery which can only be solved if you post your /etc/config/uhttpd file.

1 Like

Than I shall do so!

config uhttpd 'main'
        option redirect_https '1'
        option home '/www'
        option max_requests '3'
        option max_connections '100'
        option cgi_prefix '/cgi-bin'
        list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
        option script_timeout '60'
        option network_timeout '30'
        option http_keepalive '20'
        option tcp_keepalive '1'
        option rfc1918_filter '0'
        option key 'BLANKED'
        option cert 'BLANKED'
        list listen_https '192.168.1.1:443'
        list listen_https '[::]:443'

config cert 'defaults'
        option days '730'
        option bits '2048'
        option state 'Somewhere'
        option location 'Unknown'
        option commonname 'lede'
        option country 'IS'

If that's your config, it's surprising that uhttpd is still running on port 80.

1 Like