Can't enable https

Router: Asus ac68u
Lede version: 17.01 final

Things that I set up successfully:

• DDNS

• Let's Encrypt certs using https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-OpenWRT

Things that didn't work:

• luci-app-acme. I don't think this app has been updated in a while, and as such it doesn't work. The instructions in the above link work though for the most part. So at the end, I was still able to generate the certs.

• Enabling https. I think there is a false dependency on libustream-ssl, but even after installing that, I can't get https to work. uhttpd starts and continues to run on port 80, but doesn't respond on 443. I confirmed by checking the running uhttpd command that it is at least trying to do the right thing. i.e., It has the correct path for certs and keys for the -C and -K flags, and the listen ports also seem correct. I don't have the command with me right now, but I can get it later in the day. I tried googling for for some debug flags, but there don't seem to be any ? uhttpd doesn't print anything in the foreground mode either, and system log doesn't have anything.

Did you install luci-ssl? Or do you merely want your web server to support HTTPS to server other stuff, and are you not interested in LuCI over SSL?

luci-app-acme is working, but I guess you've approached it from the wrong angle by (potentially) following the fully manual upstream documentation.

What I would suggest is cleaning up (firstboot), first installing just luci-ssl (which will create a self signed cert) and then luci-app-acme, followed by configuring it (through luci-app-acme, not really doing anything besides that).

@Borromini, yes I want to enable https for luci. I have installed luci-ssl.
@slh, I tried luci-app-acme on its own earlier, and that didn't work. May be installing luci-ssl first helps. I'll have to test it in the order that you suggested. So I guess, right now uhttpd is working as intended, but luci is not configured properly to respond to requests.

It turns out that the issue was caused by the https listen addr:port. By default (or for some reason), it is set to [::]:443. I thought this was a catch all, but it doesn't work. Changing it to 0.0.0.0:443 fixed the issue. What does the first expression evaluate to ? (Edit: I'm guessing ipv6 catch-all ?)

Btw, I couldn't get luci-app-acme to work still. So there is most probably something wrong with it. My manual certs are still working. So it's not a blocking issue. Does luci-app-acme take care of renewals and the temporary firewall wan exception for cert generation ? Since I couldn't get that to work, I'll have to write a cron job to automate that.

Another question: Is there any downside to deselecting the setting for "Prevent access from private (RFC1918) IPs on an interface if it has an public IP address". ? If it leave it checked, I can't access the router by typing the DDNS name in the browser (from LAN).

You should have both "list listen_https '0.0.0.0:443'" (listen on any IPv4 address) and "list listen_https '[::]:443'" (listen on any IPv6 address, this setting is safe even if your ISP doesn't give you an IPv6 address, as it also covers ULA prefix and link local IPv6 addresses).

/etc/config/uhttpd (replace < MARKER > with your values):

config uhttpd 'main'
	list listen_https '0.0.0.0:443'
	list listen_https '[::]:443'
	option redirect_https '1'
	option home '/www'
	option rfc1918_filter '1'
	option max_requests '3'
	option max_connections '100'
	option cgi_prefix '/cgi-bin'
	option script_timeout '60'
	option network_timeout '30'
	option http_keepalive '20'
	option tcp_keepalive '1'
	option ubus_prefix '/ubus'
	option key '/etc/acme/<DNS_NAME>/<DNS_NAME>.key'
	option cert '/etc/acme/<DNS_NAME>/fullchain.cer'
	option listen_http '0.0.0.0:80 [::]:80'

config cert 'defaults'
	option days '730'
	option bits '4096'
	option country '<COUNTRY_CODE>'
	option state '<STATE>'
	option location '<TOWN>'
	option commonname '<DNS_NAME>'