Help with basic cli command

Installing and Using OpenWrt
1

Firstly apologies for this very basic question.
I am trying to get rid of the warnings when logging in with https and trying to follow this guide https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings and Option B.

Unfortunately my understanding of cli is minimal to non existent and I don't want to experiment and break something unnecessarily...even after reading through many OpenWRT pages and other stuff.

I am stuck with this - Create /etc/ssl/myconfig.conf with the following content:
What is the command for Create - is it add?

With the .conf file can I just open in Notepad to alter or do I need a specific text editor - SSH'd in using cmd on Win 10 currently.

2

Use a text editor like vi /etc/ssl/myconfig.conf on the command line. Use i to “insert” esc to exit out of insert mode. :wq to write. cat /etc/ssl/myconfig.conf to display what you wrote.

Not recommended. You can also install and use nano for a less intimidating editor experience.

3

If the instructions say "create" or "append / add to the end of the file", you can do that without opening it with a text editor: write cat << EOF >> filename on the terminal, then type your text, and end with a line containing the text EOF and nothing else.

1 Like
4

Well they actually say "Create /etc/ssl/myconfig.conf" which from what else I have tried does not seem to be there and then add the detail into that........

Which I tried to do with vi as @RuralRoots mentions above but does not seem to want to save it - which is probably my ineptitude.......

I am now out for the evening so will have to pick this up tomorrow.

5

Hi!

Yeah this is going to require some familiarity with the command line. I'm not aware if there's plugins to luci to do it that way.

I'd recommend learn vi or nano and do it that way. I would suggest if you're really into openwrt learn vi as that's the text editor that is installed by default?

Another approach could be to install an sftp server, or use scp and upload the file?

Sometimes I've suggested to users just use winscp and its edit commands / a local editor....

6

Thanks. This helped a lot once I worked out what I was supposed to do and sort of worked...
I say sort of as I keep getting this -
Error on line 1 of config file "myconfig.conf"
78D05C9B7F000000:error:07000064:configuration file routines:def_load_bio:missing close square bracket:crypto/conf/conf_def.c:369:line 1

Yet I have used the cat command to check and reedited the file at least 4 times and still getting the same error.

I think I want to delete the whole /etc/ssl/myconfig.conf and start afresh - what is the easiest way - uci delete /etc...... or something else?

I also get this as an issue if anybody has any ideas - bearing in mind all I am doing is pasting in the command from item 6 in the docs to create the cert. files.
/etc/ssl# unable to write elliptic curve parameters
784052887F000000:error:04880007:PEM routines:PEM_write_bio:BUF lib:crypto/pem/pem_lib.c:664:

7

You use rm /etc/ssl/myconfig.conf to remove the file.

Let’s use the example from @eduperez from the wiki section you reference:
Enter cat << EOF >> /etc/ssl/myconfig.conf and hit Return. You should see a > on the next line.
Now go to the wiki and copy the entire code block referenced:

"SummaryCodeBlock”

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
string_mask = utf8only

[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = OpenWrt
OU = Home Router
CN = luci.openwrt

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = luci.openwrt
IP.1 = 192.168.1.1

Paste the entire block after the > in terminal and hit return.
Now enter EOF and Return on the next line and cat /etc/ssl/myconfig.conf.

Virtually any Linux Command will have internal help text eg. vi —help

2 Likes
8

I disagree with the overall philosophy of that guide, as installing a trusted root certificate onto your endpoint machine is a security risk. Clicking the "accept and continue" button once on the browser is actually much safer as it installs an exception locally in the browser to only trusts the one certificate for one IP address.

Again if you install a new CA, your whole machine will trust any certificate signed against it for any purpose. If someone obtains the private key for that CA, they can use it to sign fake certificates that could impersonate any website to your machine. So it would be a good idea to destroy the CA key file after signing the router certificate to be sure it is not used again.

If you still want to do it, the certificate and key used by the router can be created on another machine then imported to the router. I use xca for that which exists for both Linux and Windows desktops.

4 Likes
9

laymen's editing can be done with WinSCP from your Windows PC/Laptop

1 Like
10

Thanks that worked as well but unfortunately I am still getting the same error regarding the close square bracket......

[req]
distinguished_name  = req_distinguished_name
x509_extensions     = v3_req
prompt              = no
string_mask         = utf8only

[req_distinguished_name]
C                   = US
ST                  = VA
L                   = SomeCity
O                   = OpenWrt
OU                  = Home Router
CN                  = luci.openwrt

[v3_req]
keyUsage            = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage    = serverAuth
subjectAltName      = @alt_names

[alt_names]
DNS.1               = luci.openwrt
IP.1                = 192.168.1.1
root@GL-MT6000:~# cd /etc/ssl
root@GL-MT6000:/etc/ssl# openssl req -x509 -nodes -days 397 -newkey rsa:2048 -keyout mycert.key -out mycert.crt -config
myconfig.conf
req: Error on line 1 of config file "myconfig.conf"
78C0D3937F000000:error:07000064:configuration file routines:def_load_bio:missing close square bracket:crypto/conf/conf_def.c:369:line 1
root@GL-MT6000:/etc/ssl#

and I copied and pasted direct from the Wiki

11

Thanks for the alternative view. If nothing else the exercise has helped me immensely in starting to try and understand some basic cli stuff.

I really would like to resolve the pernicious bracket issue however :wink:

1 Like
12

Editing a text file on Windows will usually leave it with DOS line endings (CRLF) instead of Linux (LF only). This can cause problems later parsing the file.

2 Likes
13

Using WinSCP to edit a text file on the router will work as it saves unix style line endings.
But copying a windows made config from windows to the router will indeed get you into the line endings problem.

1 Like
14

Are you suggesting that this is what has happened with the bracket error?

15

So if done in Linux that issue does not arise?

16

If you copied a config from windows to the router that could be the case.

To see line endings use Notepad++ on your windows machine a very good editor which can show and convert line endings

1 Like
17

To reiterate the above, Windows doesn’t play well with Linux.

This is as close as I could find re. OpenSSL/Windows issues.
(https://stackoverflow.com/questions/70426222/how-to-solve-openssl-configuration-error-when-trying-to-install-react-native-cli)

18

Thanks. Yes all the line endings show as CRLF

19

With Notepad++ you can convert it to unix style under Edit > EOL

2 Likes
20

Thanks to everybody who replied. There was more than one solution required at the end of the day and unfortunately not sure I can click multiple posts.......

I do have one query if you could bear with me a little longer -

as in the online articles I have been able to find they don't seem to use the >> after EOF. Does this make a difference?