Certificate problem with Dynamic DNS and LetsEncrypt

Lihvar · March 28, 2024, 5:13pm

First thread on the forum and I'm looking for help.

I have Netgear R6200 with OpenWRT 22.03 (haven't updated to 23.05 yet) and I'm having issues with my DDNS server and certificates.

I've been using DuckDNS for the service and Luci (or the WebUI) version of acme to generate Certificates, the output in /etc/acme/server.duckdns.org/ is

ca.cer
fullchain.cer
server.duckdns.org.cer
server.duckdns.org.conf
server.duckdns.org.csr
server.duckdns.org.csr.conf
server.duckdns.org.key

And I've tried using each of the .cer files Dynamic DNS config for my server and even trying to concatenate .cer files to .pem with same result
DDNS Server config:

option use_https       "1"
option cacert          "/etc/acme/server.duckdns.org/fullchain.cer"

And none of them gave results, I rebooted the router after every config update and used incognito and even different browser but I always get the error message that there is no certificate.
I've tried putting the certificate in uhttpd and got the same results.

I'm really out of ideas and would appreciate any help.

Lihvar · April 9, 2024, 5:28pm

I'd really appreciate any help

AndrewZ · April 9, 2024, 5:42pm

Quoting OpenWrt wiki with a little explanation added:

If you would like to make sure your SSL connection with DDNS provider is verified, then install the CA certificates and set the path to /etc/ssl/certs (Path to CA-Certificate in the LuCI or option 'cacert' '/etc/ssl/certs' when configuring by command line.)

So that setting has nothing to do with acme or your own server.

Lihvar · April 9, 2024, 6:14pm

I appreciate the answer, I was beating my head around trying to figure it out.
Is there a way for me to enable HTTPS for a DDNS running from my router?

AndrewZ · April 9, 2024, 6:16pm

Just follow instructions from the wiki.

Lihvar · April 9, 2024, 6:32pm

I did yet I still get the HTTP warning when I'm opening the website

AndrewZ · April 9, 2024, 6:33pm

You don't need to open any web site for DDNS client to work. All you need to do is configure a "Path to CA-Certificate".

Lihvar · April 9, 2024, 6:39pm

I did do all that, I have ca-certificates installed and path set to /etc/ssl/certs i tried even /etc/ssl/certs/ca-certificates.crt and yet when I open my ddns website, the server.duckdns.org I get a HTTP/Site not secure warning and that is what I want to fix so that I don't get that warning

AndrewZ · April 9, 2024, 7:00pm

The DDNS client configuration has nothing to do with your ddns website except that you need a FQDN match between the two.
If you see the proper response from DNS with the public IP of your router - you don't need to touch
DDNS client configuration on the router anymore.

Now, if you have a certificate for your web server, you need to configure it on that server. That has nothing to do with OpenWrt.
However, if you want to secure access to Luci (it is not recommended to make Luci publicly accessible), you need to configure certificates in /etc/config/uhttpd

system · April 19, 2024, 7:04pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.