Centralized SSL for openwrt devices

biror · December 6, 2025, 10:27pm

Hello everyone,

I am searching for a instruction on how to setup a centralized certificate manager and update all my devices (around 10 for now) . Is there a way to use some software or docker container to renew the certificates and send them to the openwrt devices based on a IP/FQDN list + credentials (LDAP user would be a dream come true) ?

I read about acme.sh and how to deploy on a device, but when it comes to multiple devices, most of the post I found on the web explain that, its not so clean and easy to use with multiple devices…maybe there is a better solution

Appreciate if you could share with me how you did it.

Here is a short history of my OpenWRT experiences and usage:

I am using openwrt since version 17 (I dont remember the exactly the year… but I could check my old svn repository ) and have expanded my network a lot since then.. build VPN between multiple locations, VLANs, APs.. All nice stuff. I really like the platform. Works like a charm for me.

frollic · December 6, 2025, 10:32pm

acme will happily generate a *.FQDN cert, technically you don't need 10 certs, only one, then redistribute it every 2 or 3 months.

biror · December 6, 2025, 10:53pm

Hi, generating the certificates its not an issue. I can generate the certificates very easy for all subdomains.

Exmample:

*.location1.mydomain.com

*.location2.mydomain.com

My problem is deploying the certificates on each router from a 1 server that has renewed the all wildcard certificates.

brada4 · December 7, 2025, 12:19am

Just "cat" files over ssh and reload uhttpd.

hnyman · December 7, 2025, 6:59am

Like brada4 implies, use some network copy command.

For scripting purposes, I would likely use scp, and if you use SSH keys, you don't even need password with scp.
Additionally, you might in each router define a procd trigger for uhttpd, so that it the key file changes, config is reloaded / uhttpd restarted. (Edit: there apparently is a hotplug defined already.)

Then you could just have a centralised update script, that renews the certificate and then copies it to other routers, which automatically apply it.

brada4 · December 7, 2025, 10:08am

There is no procd trigger outside /etc/config , you have to reload yourself.

hnyman · December 7, 2025, 10:17am

Well, the uhttpd init script seems to define trigger for acme renew.

https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/network/services/uhttpd/files/uhttpd.init;h=c6e0b210c5a8ba770fcc7ff4b0ac686c980a447e;hb=HEAD#l276

procd_add_reload_trigger "uhttpd"
procd_add_raw_trigger acme.renew 5000 /etc/init.d/uhttpd reload

Edit: But that naturally helps only in the machine running the acme renew process, not in the distribution targets.

biror · December 8, 2025, 2:11pm

Thank you very much guys!

I will create a sh file and scp the certs to each device 1 by 1 and trigger uhttpd reload. will work for sure.

My inital thought was that there could be a centralized method, after I read some ACME client stuff on some forums.

system · December 18, 2025, 2:11pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.