Router: Asus ac68u
Lede version: 17.01 final
Things that I set up successfully:
Things that didn't work:
luci-app-acme. I don't think this app has been updated in a while, and as such it doesn't work. The instructions in the above link work though for the most part. So at the end, I was still able to generate the certs.
Enabling https. I think there is a false dependency on libustream-ssl, but even after installing that, I can't get https to work. uhttpd starts and continues to run on port 80, but doesn't respond on 443. I confirmed by checking the running uhttpd command that it is at least trying to do the right thing. i.e., It has the correct path for certs and keys for the -C and -K flags, and the listen ports also seem correct. I don't have the command with me right now, but I can get it later in the day. I tried googling for for some debug flags, but there don't seem to be any ? uhttpd doesn't print anything in the foreground mode either, and system log doesn't have anything.
Did you install luci-ssl? Or do you merely want your web server to support HTTPS to server other stuff, and are you not interested in LuCI over SSL?
luci-app-acme is working, but I guess you've approached it from the wrong angle by (potentially) following the fully manual upstream documentation.
What I would suggest is cleaning up (firstboot), first installing just luci-ssl (which will create a self signed cert) and then luci-app-acme, followed by configuring it (through luci-app-acme, not really doing anything besides that).
@Borromini, yes I want to enable https for luci. I have installed luci-ssl.
@slh, I tried luci-app-acme on its own earlier, and that didn't work. May be installing luci-ssl first helps. I'll have to test it in the order that you suggested. So I guess, right now uhttpd is working as intended, but luci is not configured properly to respond to requests.
It turns out that the issue was caused by the https listen addr:port. By default (or for some reason), it is set to [::]:443. I thought this was a catch all, but it doesn't work. Changing it to 0.0.0.0:443 fixed the issue. What does the first expression evaluate to ? (Edit: I'm guessing ipv6 catch-all ?)
Btw, I couldn't get luci-app-acme to work still. So there is most probably something wrong with it. My manual certs are still working. So it's not a blocking issue. Does luci-app-acme take care of renewals and the temporary firewall wan exception for cert generation ? Since I couldn't get that to work, I'll have to write a cron job to automate that.
Another question: Is there any downside to deselecting the setting for "Prevent access from private (RFC1918) IPs on an interface if it has an public IP address". ? If it leave it checked, I can't access the router by typing the DDNS name in the browser (from LAN).
You should have both "list listen_https '0.0.0.0:443'" (listen on any IPv4 address) and "list listen_https '[::]:443'" (listen on any IPv6 address, this setting is safe even if your ISP doesn't give you an IPv6 address, as it also covers ULA prefix and link local IPv6 addresses).
/etc/config/uhttpd (replace < MARKER > with your values):
config uhttpd 'main'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
option redirect_https '1'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cgi_prefix '/cgi-bin'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
option ubus_prefix '/ubus'
option key '/etc/acme/<DNS_NAME>/<DNS_NAME>.key'
option cert '/etc/acme/<DNS_NAME>/fullchain.cer'
option listen_http '0.0.0.0:80 [::]:80'
config cert 'defaults'
option days '730'
option bits '4096'
option country '<COUNTRY_CODE>'
option state '<STATE>'
option location '<TOWN>'
option commonname '<DNS_NAME>'