So as the title says
I am a lazy person and I didn't wanted to use LuCI to do it so I followed the following tutorial - https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings, and based on it I wrote a shell script that anyone can use and it's really great so far
Before you use this script, make sure you have myconfig.conf in /etc/ssl as you can see in the link above. once you made that file, the rest is done in your user home directory
So first of all make a shell script file in your home directory:
touch ~/ssl.sh && chmod +x ~/ssl.sh
Then with VI (not improved 
) write the following (vi ~/ssl.sh):
#!/bin/sh
# locate yourself in home directory
cd ~
# variables
valid_for_days=10
file="uhttpd"
# create
openssl req -x509 -nodes -days ${valid_for_days} -newkey ec:<(openssl ecparam -name prime256v1) -keyout ${file}.key -out ${file}.crt -config /etc/ssl/myconfig.conf
# override
for i in "crt" "key"
do
ifile=${file}.${i}
ofile=/etc/${ifile}
cp -v ${ofile} ${ofile}.bak
mv -v ${ifile} /etc
done
# finalize
/etc/init.d/uhttpd restart
Once you save this file go to crontab:
crontab -e
and add the following:
# Every 10 days, regenerate ssl certificate for uhttpd
0 0 */10 * * ~/ssl.sh
You can restart cron if you like but I don't think it is required
and that's it!
I hope it will be useful in some way to anyone 
Tell me what you think about it, i'd love to hear from you!
Feel free to add this example to the user guide if you find it useful
3 Likes
I'm confused. Why would you want to install OpenSSL to generate a certificate every 10 days instead of using the default made by OpenWrt?
Hi, thanks for your reply
instead of using the default made by OpenWrt?
I didn't knew that such feature exists. All I wanted was to enable https, and then I came across this tutorial. In this tutorial they use the exact same command, so I adopted it to my router instead of using LuCI
every 10 days
no specific reason, you could make it 30 days
I chose 10 days because it's easier for me to trace it on the log, but feel free to make it 30/60/whatever days you desire.
You must be using firmware that is not from the official OpenWrt project. This occurs by default on official OpenWrt firmware.
No, I am using an official firmware. I just never knew that it exists
I searched for SSL on the wiki but I didn't found any article, so I googled it and then I got to the link I mentioned. That helped me
but if you have other resource than I'd like to read it and remove my post
I'll look for some documentation...but OpenWrt creates a certificate on first boot after a reset or fresh flash. I'm honestly not sure what documentation you're searching for.
(And I'm also curious how you visited https://192.168.1.1 or https://openwrt.lan before you wrote this script.)
First of all I was using http://192.168... and not https://
Then I went to system -> administration -> http(s) access -> (check) redirect to https
but for some reason it didn't worked as expected then I got to that tutorial (I wasn't able to get to the LuCI panel),
and then I thought about automation of the ssl creation instead of manually doing it, so I wrote that shell script
1 Like
Curious, do you have the package luci-ssl installed?
@shagiss @lleachii
FYI #1: If you install luci-ssl, it in turn installs px5g-mbedtls and this is an extension to uhttpd that checks if valid self signed certificates exist and if they don't, creates them.
FY #2: If you don't want luci but do want uhttpd with tls support (aka https) then install just px5g-mbedtls and it will do the cert business automatically as required. (Yes, for others reading this that are not aware, uhttpd is a really useful, general purpose, small footprint web server supporting both cgi and php scripting. It is also usually installed by default..)
1 Like
It is actually a quite nice idea, albeit not necessary in this case, but it is very useful in that it shows what can be done.
So don't delete the thread!
Maybe change the title to "An alternate way to auto-create SSL certificates for uhttpd"
3 Likes
Hi, thank you for your responses!
I tried to change the title, but it is not possible for technical reasons so it's up to the moderators; I can't do it. However I agree to any title and changes, As long as you (the community) find it useful and thinks it can improve my suggestion.
