Ohk .. no problem
What have you deployed ? Full chain or just your end certificate ?
@mac_low, in Chrome and all browsers, you will simply bypass this warning:
-
Click ADVANCED
-
Then click PROCEED
@lleachii why are you suggesting to bypass the error dude ?
@mac_low have you deployed self signed certificate or it's trusted CA ?
If it's self signed than follow the steps given by @lleachii
If it's from trusted CA plz attach that certificate too . Will rectify and tell you the reason
Please see: https://forum.openwrt.org/search?q=ssl%20luci%20error
It is not recommend that LuCI be opened on WAN. A SSH/VPN should be used. Using a certificate doesn't change this recommendation. Therefore, I surmise that a cert wasn't purchased for this.
Please read the OP's post:
During the process, this packages creates a self-signed certificate.
Yes but if I want to install the trusted CA certificate also process is same
Ssl package will be installed
Self signed certificate and private key will be created
The above generated pair will be replaced by trusted CA one
Certificate can be obtained by even by keeping router down there are various ways to obtain certificate
No one recommend to use self signed certificate even on LAN access to luck
Atleast not after let's encrtpt
Correct, but would you further suggest to someone - that they open their router web GUI to WAN with that Public cert?
I merely suggest - NOT.
Provide a link to the community for Let's Encrypt instructions for OpenWrt, please?
Thanks.
Neither did I. Please re-read:
But it has been given as the solution to this problem, which is why I sent you a link to the forum's search results. You should have found this thread (and a link to it's original):
Let's just wait to see if the solution works for the OP; before you confuse the topic further regarding public certs. Please refrain from hijacking threads from the Original Poster, thanks.
1 Like
i am not hijacking things , i am trying to fix the things like you are do
No i can never do that , I recommmend not just luci but no control panel to be publically exposed
But i also wont recommend to keep a self signed generated certificate to be used its also endengering your privacy even if you gave LAN access to Luci
This i strongly oppose , please all the members dont play around with your security like this never bypass any ssl errors , its a bad practise trust me
Then I would advise the user not to install SSL on LuCI (which is contrary to what the OP wants)! They should use VPN or SSH, as noted. Please stop trying to confuse OpenWrt users! Some are new and are easily confused by these antics.
Also, since you suggest a Public cert, please tell me what domain name you would register for a router?
OpenWrt.lan?
1 Like
why are you not letting me help him out dude ??
you are not even understand what i am saying ?
i didnt see this ..lol
can you explain ? neither if these are safe dude . I think you are not taking me seriosly , Let me update my profile too , so that atleast you wont argue me on security dude
now plz let me complete the point when in securty atleast ??
LOL...Yes I understand:
- OP installs LuCI SSL package
- OP get cert err
- @arjuniet asks about Public cert chain
- @lleachii offers solution
SSH (using keys) , VPN remotely or a local management interface. The routers web service could be brute forced otherwise.
Rarely read them, I measure worth of people here by the number solutions a person collects.
really a solution ??? say by your heart ?
To the OP's issue, yes.
Or...Feel free to instruct him on setup of a VPN or SSH keys or a management VLAN (which assumes the OP is opening it on WAN, he didn't tell us that)!
Otherwise, stop hijacking topics!
good if you still thinks so .
dude try to understand , i am still trying to explain dont be in a habbit of bypassing ssl error in browsers , or one day you will be remembering me
I agree, I just think we could have waited for the OP to tell us if this is on WAN first.
BTW, before you proceeded on the security concerns you had, I was also going to tell the OP to note the serial number produced by the router cert before accepting it in a browser.
Also, most people address their router at 192.168.1.1, a cert won't work for that without accepting it, or using an invalid one.
1 Like
yes all acceptable points and important too
1 Like
Good Evening all,
I was not able to answer sooner (and I was not expecting so hard discussions on it)
So I am close to security as I am comnecting on LAN under wps2 wifi Keychain. Maybe i'm advanced n00b ^^
(ssh is active by fault, but I did nit understand yet fully the concept _ like a shared key that needs to be installed on the router and on the pc)
I also figure out the trick to access under https, but... It's a trick
Certificate is not seen as "official" and browser are not liking it and warning pushing and so on...
I'm just wondering if it is possible have "official certificate" or options to install this certificate in chrome (my favorite browser)
You could configure an SSH server on the router or a downstream PC to use keys, instead of username/password. I planned to suggest this if you were connecting to the router on the Internet via WAN.
Correct.
From: https://openwrt.org/docs/guide-user/luci/luci.secure
Of course, you can just buy a properly signed certificate for your own openwrt.lan domain and ip address to get rid of the annoying browser warning. You can also just import the self-signed root CA used for certificate creation to your browser certificate store.
If so, it would likely be here: chrome://settings/certificates?search=cert
You will need to export the certificate:
- Click on the Not Secure button:
- Select "Certificate", you will then see the window below.
-
Export the file (OPEN AND NOTE THE SERIAL NUMBER)
-
Import at: chrome://settings/certificates?search=cert
Be advised, @arjuniet warns:
But since you: know the certificate, what device generated it, its serial number, etc. - this warning should be in the scope of your understanding to be safely ignored in your OpenWrt use case only.
In addition to the link above, also see: