Https connection to LuCI is discarded

The reason is next certificate is not valid:

Common Name (CN)

OpenWrt

Organization (O)

OpenWrt4595bdc5

Organizational Unit (OU)

<Not Part Of Certificate>

### Issued By

Common Name (CN)

OpenWrt

Organization (O)

OpenWrt4595bdc5

Organizational Unit (OU)

<Not Part Of Certificate>

### Validity Period

Issued On

Monday, March 28, 2022 at 12:43:54 PM

Expires On

Thursday, March 28, 2024 at 11:43:54 AM

### Fingerprints

SHA-256 Fingerprint

5A F3 3B 26 58 B4 C2 65 DB E6 E6 7D 34 FE DC 88 E8 80 82 E9 A9 A7 92 D1 CD 33 D4 9F F5 B2 B9 40

SHA-1 Fingerprint

9F 4D 0A 8F 44 02 1C E7 24 7C 11 FE DE D0 AE 2C CE D5 2E EC

How do i validate the certificate so I will have a proper HTTPS connection?

Firmware version:

Firmware Version	OpenWrt 21.02.2 r16495-bf0c965af0 / LuCI openwrt-21.02 branch git-22.052.50801-31a27f3
Kernel Version	5.4.179

Had the same "issue" and read https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings ; not applied so far...

  • What isn't applied?
  • Did you read the Wiki link you posted?

Save the cert to your browser.

From the same link above: https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings#chain_of_trust

  • ...and save (just name it, don't give it an extension as it'll be automatically added for you) the certificate somewhere easy to find. You can name it anything. Now close that window and the window that opened when you pressed F12.
  • In place of the last 2 steps above, you can pull /etc/ssl/mycert.crt off your router using other means such as SCP if you're a pro.
  • Proceed below depending on your operating system

It then explains how to load the cert into your browser to suppress the warning.

1 Like

I simply meant I didn't implement it.

1 Like

OK, tru tru. :smile:

I thought I missed something in the Wiki.

I believe the Wiki is clear and well done :smile:

1 Like

applied certificate on my ubuntu via certutil. Still have error from both firefox and chrome. Documentation sucks :frowning:

Firefox:
The certificate is not trusted because it is self-signed.


Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

Chrome: see picture:

Which is correct.

The browsers won't accept a self signed cert until you override the warning.

If you want to use HTTPS, look in to Let's Encrypt.

1 Like

Did you actually add it to Firefox and Chrome (i.e. the cert managers you're using)?

that's totally ok: self signed certificates are not accepted as @OldNavyGuy already confirmed.

you have basically two paths to choose:

  1. keep using the self signed cert which was created by openwrt and make an exception in your browser: https://it.nmu.edu/docs/adding-security-exception-your-browser. this will make your browser not complaining any further.
  2. use a real (commercial or free, e..g let's encrypt) certificate which will be trusted by any browser.

@icegood, the simplest way to create self signed key/cert pairs would be:

enter to your router CLI from your computer (Windows or Linux) just type this in a Windows Powershell or Linux bash:

ssh root@192.168.1.1

Then type this:

cd /etc
# Create CA key and certificate. Import ca.crt as root certificate to the computers accessing the router and save ca.key for future use.
[ -e "./ca.key" ] || openssl genrsa -out ca.key 2048
[ -e "./ca.crt" ] || openssl req -new -x509 -days 7300 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt

# Create server key and certificate. use server.key and server.crt as valid files for uhttpd, ttyd, etc.
[ -e "./server.key" ] || openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=localhost" -out server.csr
echo "subjectAltName=IP:192.168.1.1,DNS:Openwrt.lan,DNS:myserver.myddns.org,DNS:www.myserver.myddns.org" > /tmp/subjectAltName.txt
openssl x509 -sha256 -req -extfile /tmp/subjectAltName.txt -days 825 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

Obviously, change the DNS entries with your own internal/external, and IPs you use to access the router.

Do not forget to transfer the ca.crt file out of your router and add it as root certificate to your computer, phone, or any other device you use to browse LuCI web interface.
From your computer (Windows or Linux) just type this in a Windows Powershell or Linux bash:

scp root@192.168.1.1:/etc/ca.crt .

In Windows you just have to double click the ca.crt file and add it to the trusted root certificates storage.

/etc/server.key and /etc/server.crt can be used for any service such as uhttpd, ttyd, nginx, etc.

I think your problem is that the subjectAltName is missing in your certificate. So, you can only access your router using the CN, and that CN doesn't look like a valid DNS in your lan.

For windows, the guide is correct.
However, for linux, is a totally different matter.
To get chrome work, is sort of easier, for firefox is a bit more complicated.
For those interested, i can share my own guide, which works.
1)Chrome

sudo apt update
sudo apt install libnss3-tools

Syntax

certutil -d sql:$HOME/.pki/nssdb -A -t "TC,," -n "<CERT_NICKNAME>" -i <FILE_CRT>

From the Folder where the .crt is, open Terminal
OpenWrt

certutil -d sql:$HOME/.pki/nssdb -A -t "TC,," -n "OpenWrt" -i mycert.crt

2)Firefox

Syntax

certutil -A -n "<CERT_NICKNAME>" -t "TC,," -i <PATH_FILE_CRT> -d sql:<PATH_PROFILE_FIREFOX>

CERT_NICKNAME: Certificate Alias to set on the certificate list
PATH_FILE_CRT: Path to the .crt file to import
PATH_PROFILO_FIREFOX: Path to the firefox profile used, to be found in /home/user/.mozilla/firefox/Profile_name
example:

certutil -A -n "OpenWrt" -t "TC,," -i /home/OpenWrt/mycert.crt -d sql:/home/user/.mozilla/firefox/qspzdclg.default-release
qspzdclg.default-release

I believe that it is way easier than that.

After running the creating process of my previous post here, do this on your computer depending on your OS:

Windows:

scp root@192.168.1.1:/etc/ca.crt .
certutil -addstore -f "ROOT" ca.crt

Linux (Debian, Ubuntu, WSL...):

scp root@192.168.1.1:/etc/ca.crt .
sudo cp ca.crt /usr/local/share/ca-certificates/ca.crt
sudo update-ca-certificates

MacOS X:

scp root@192.168.1.1:/etc/ca.crt .
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ./ca.crt

Well, the certificate creation isnt so much different.
Maybe i could use your way to nstall the certificate anyway?
The way i do, i end up whit the ca.crt anyway, so doing your commands i should get the same results, i suppose?
Or your installation guide is different?

Installing a new system root certificate is not recommended. If anyone has the key to that certificate, they can use it to sign phony certificates to MITM any web site on any application on your PC.

It is much safer to set an internal browser exception for one private IP address, that of your router.

Realize that SSL does nothing to deter hacking of the server. It protects the user from having private data intercepted or connecting to a rogue server. Generally these aren't likely on a home LAN.

3 Likes

No need for that if you delete the ca.key file after the server.key and server.crt are created. Still easier and as safe as creating exceptions. And you are covered everywhere. For instance in Linux you can test the validity of the cert of a website by doing:

openssl s_client -showcerts -connect SITE_NAME_HERE:443 | openssl x509 -noout -dates

IMO, Let's Encrypt certs are the way to go.

The only problem of Let's Encrypt is that your server must be public, so your FQDN. So, you lose the flexibility of using the external and internal names and IPs in the certificate. In other words, you won't be able to secure access your router using the lan IP, or local lan name.

Which goes back to @mk24's post above -

1 Like

I don't see the connection. One thing is where you get the CA cert from, and the other is the way you trust on that cert. Two different discussions.