How often do I update SSL certificates

Hi there,

I was wondering if I need to update ssl certificates periodically and what is the best way to do that. Here is my problem....

I'm using Dynamic DNS service on my openwrt router. My DNS provider recommends I use SSL to connect whenever I update my IP so I installed libustream-openssl ca-certificates and I configured everything properly but when I started the service I got this message in the log file...

WARN : No valid certificate file '/etc/ssl/certs/' for HTTPS communication - TERMINATE

It sounded like I didn't have the right SSL certificate. I did some searching and found these instructions here:
I installed openssl-util and ran the commands listed on the wiki. Specifically these commands....

cd /etc/ssl/certs
openssl s_client -connect < /dev/null > temporary.out
openssl x509 -outform PEM < temporary.out >
# create link using the hash value from openssl
# store certificate hash value in HASH append .0, if hash exists can store as .1 or .2 or .3  etc etc

HASH=`openssl x509 -hash -noout -in`.0
# create link
ln -s $HASH

Then I restarted the Dynamic DNS service and..... everything worked. Yay!

So my question is..... How often do I have to repeat this step? Every month? Every year? Everytime I restart the router? Should I put these commands in a script and set it up as cron job? Sorry for the noob questions, I know next to nothing about SSL except that it is necessary so that no one can see my username/password every time I update my IP. Thanks!

Edit: I didn't notice that you pulled them manually. You could install ca-certificates using opkg as another, probably easier option.

Edit 2: You look like you did install ca-certificates. You shouldn't have had to fetch their certificate, and doing so that way potentially ignores any trust chain about who you actually contacted to get that certificate.

Does opkg list-installed show ca-ccertificates as installed. Does your device show something like this:

$ ls -l /etc/ssl/certs/
-rw-r--r--    1 root     root        200061 Sep 17 18:17 ca-certificates.crt

Their certificate, at least as delivered to my browser, is valid and can be confirmed based on a proper set of CA roots:

I would recommend getting your CA roots straightened out, and removing what you downloaded. There are things like revocation that won't work if you have a non-root certificate "hard" installed.

The CA certs change very slowly, with the exception of the revocation of some "marginal" ones. They'll often be updated any time you flash a new ROM when you install new packages. I would consider quarterly plenty often, once a year probably reasonable. I'd say they change slower than you should be updating your ROM for general security reasons.

You got me curious. shows them changing every few months, unsurprisingly in sync with Firefox releases. shows the CA roots changing more slowly.


Is a reboot of OpenWRT necessary for it to recognize freshly-installed certs?
i.e. on mine, the ca-certificates package was not previously installed, yet now it's installed and DDNS still logs errors about not being able to find a valid CA cert in the /etc/ssl/certs path.
Perahps a restart of another daemon is all that's needed?

I recall it's required to specify the path and file in versions 21 and 22. A restart of the DDNS service should be OK.


Also, in the future, you may wish to make a new thread instead of reviving a 3 year old one. I noted that to highlight that the information in the posts above may be outdated (e.g. the posts might reference procedures on old versions of OpenWrt that differ today). Hope this helps.

1 Like

Thanks. Turns out I hadn't been specifying the filename, only the path to where all the crts are. I had supposed that it would scan the directory to find the crt file it wanted.

I can't claim to be fluent in proper forum etiquette, so the tip about old threads helps, too. My fear is starting a new thread when I should be adding to an old one that already addresses the problem, but yeah, stale info should be left to fade into history.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.