One is using a cert for a public server vs. using a cert for a private LAN IP (router).
Works on my browser, when you actually add them (i.e. on the Chrome and Firefox screens in Post No. 9 ).
grrr2
March 31, 2022, 12:51pm
23
no it does not work out of the box . that's the problem ... well, actually we should not treat it as a problem because it totally makes sense why browsers raise a warning for any ( ! ) self signed cert signed by unknown CA. it is not just openwrt "problem".
and yes, you have couple of ways to resolve :
create/use a private CA, add to client's trusted CA store and create/use server certs signed by this private CA,
just add openwrt to client's exception list - that's the easiest imho. if we are talking about usual home usage it should not be an issue if from a trusted PC you own connect to your own router through your own network and you just will not see the lock badge in browser ... for any other case you may prioritize security of course and use e.g. the commercial method (next point).
use commercial (paid or free) CA to sign server cert for your router.
and no, let's encrypt does not require you to be on internet only for the time when the cert is (re)issued and http based validation is used. or you can use DNS based validation without ever open up to internet.
I'm guessing you were responding to someone else.
I was merely assisting the OP with option No. 2 (as noted in the Wiki).
I personally think it's silly to know why the router is given the error and try to cancel it .
grrr2
March 31, 2022, 1:05pm
25
ok, in your previous post it looked you were disagreeing with my statement about self signed certs. but my statement still holds as explained: by design any unknown self signed cert is not accepted by any modern browser for good reason.
(/off: your last link is actually the problem: some people misunderstand having a public (e.g. let'sencrypt) certificate would mean you can open up your router to WAN. it is not the case.
1 Like
gladivy
December 24, 2022, 8:24am
26
Hello im new to openwrt after follow the tutorial https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings i lost connection to web interface can you help me on this please?
gladivy
December 24, 2022, 9:03am
27
Following the guide, I can create a certificate and add it to Firefox as an execption when visiting my router's webadmin and everything works.
However, for Chrome based browsers, it does not suceed. When I do no install the certificate, they allow me to manually allow to visit the site. However, when I install the certificate, I get a "NET::ERR_CERT_INVALID" error and I cannot manually override it. I have no idea what I am doing wrong, has Chrome becamoe more strict again or something?
Edit: I am on Linux, Kubuntu 22.04 specifically.
hnyman
May 26, 2024, 5:51am
29
felagund:
Chrome based browsers, it does not suceed. When I do no install the certificate, they allow me to manually allow to visit the site. However, when I install the certificate, I get a "NET::ERR_CERT_INVALID" error and I cannot manually override it. I have no idea what I am doing wrong, has Chrome becamoe more strict again or something?
Browsers are increasingly strict in accepting SSL certificates.
opened 02:03AM - 16 Nov 23 UTC
## Steps to reproduce:
1. go to: Services → uHTTPd→ uHTTPd Self-signed Certific… ate Parameters
2. set parameters to your liking
3. Save & Apply
4. click "remove old certificate and key" button
## Actual behavior:
1. The generated certificate will not be accepted by modern browsers
## Expected behavior:
A certificate that will be accepted by modern browsers
## Additional Information:
The effect you can see on windows and edge for example is.
That if you have not trusted the certificate edge will show an NET::ERR_CERT_AUTHORITY_INVALID error. This error can be ignored and the website can be accessed. However, to get rid of the certificate error the normal way is to download the certificate and install it in the "Trusted Root Certificate" store for the local machine. The problem is, if you use the current generated certificate you get an NET:ERR_CERT_INVALID error which you not be ignored and you can not access the website until you removed the certificate from the certificate store again.
As a workaround you can create the certificate manually
The commands are
```
openssl ecparam -name prime256v1 > ec.param
openssl req -x509 -nodes -days 3650 -newkey ec:ec.param -keyout mycert.key -out mycert.crt -config myconfig.conf
```
The used config looks like this
```
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
string_mask = utf8only
utf8 = yes
[req_distinguished_name]
C = <Country>
ST = <State>
L = <local>
O = <organisation>
OU = <organisation unit>
CN = <fqdn of openwrt device (openwrt.lan)>
[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = <fqdn of openwrt device (openwrt.lan)>
IP.1 = <ipv4 of openwrt device (10.0.0.1)>
IP.2 = <ipv6 of openwrt dervice (fd18:211d:d95::1)>
<add more IPs if needed>
```
The certificate generated this way gets accepted and the certificate error vanishes as soon as the certificate is installed in the certificate store.
The workaround makes it clear that the certificates generated over the ui lacks the alternative names which seems to be a requirement for modern browsers.
openwrt:main ← hnyman:uhttpdcert
opened 06:16PM - 02 May 24 UTC
Browsers are increasingly picky about the attributes included in the SSL certifi… cates. The self-signed certificates generated by uhttpd for LuCI usage cause warnings due to the self-signed status, and especially the missing "subjectAltName" can be difficult with some browsers.
Reference to discussion in https://github.com/openwrt/luci/issues/6701 and forum search https://forum.openwrt.org/search?q=ERR_CERT_INVALID
OpenSSL has supported the extended attributes for some time, as has also the wolfssl library and our related px5g-wolfssl certificate generating tool. The recent upgrade of mbedTLS to 3.6 finally enables also mbedTLS to more easily provide certificates with those attributes.
This PR
* modifies px5g-mbedtls to support the needed extended x509v3 attributes. The initial draft for implementation was started some months ago by @systemcrash and I have finalized the implementation.
(Note: OpenSSL backend and px5g-wolfssl required no modifications. Same parameter suits all three SSL implementations)
* modifies uhttpd init script to include also `Subject Alternative Name` and `Extended Key Usage` in the certificate.
I took a really old commit from @jow- staging repo where Pat Fruth proposed the parameters already in 2019
* also modifies uhttpd default for certificate lifetime to match the current CA/Browser forum recommendation/requirement of max. 397 days. Reference to https://cabforum.org/working-groups/server/baseline-requirements/
> 6.3.2 Certificate operational periods and key pair usage periods: Subscriber Certificates issued on or after 1 September 2020 SHOULD NOT have a Validity Period greater than 397 days and MUST NOT have a Validity Period greater than 398 days.
Certificates will now have these new attributes:
```
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:OpenWrt
```
Tested with mediatek filogic MT6000 running r26117-5c833329ce, all three certificate variants.
Examples below:
OpenSSL:
```
root@router6000:/etc# rm /etc/uhttpd.*
root@router6000:/etc# /etc/init.d/uhttpd restart
4+0 records in
4+0 records out
-----
root@router6000:/etc# openssl x509 -text -noout -in /etc/uhttpd.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
14:50:f9:6c:1b:a0:34:97:8f:f2:3a:4b:92:18:67:e0:1f:27:56:d8
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = ZZ, ST = Somewhere, L = Unknown, O = OpenWrtc895345d, CN = OpenWrt
Validity
Not Before: May 2 17:19:55 2024 GMT
Not After : Jun 3 17:19:55 2025 GMT
Subject: C = ZZ, ST = Somewhere, L = Unknown, O = OpenWrtc895345d, CN = OpenWrt
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:95:29:6d:fc:4e:28:c5:36:0a:e5:d2:1e:12:5d:
b5:2c:99:00:9d:19:ac:d5:75:92:93:45:23:d6:30:
9f:34:4a:9b:f1:9b:7b:55:db:b4:13:ce:6c:5d:6f:
38:83:19:c2:95:b6:64:58:f1:c1:fe:08:f6:fc:39:
b5:2a:46:29:5c
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
E7:34:31:F3:45:88:3A:24:A5:2B:AC:48:51:A1:BA:A9:DC:2A:35:6C
X509v3 Authority Key Identifier:
E7:34:31:F3:45:88:3A:24:A5:2B:AC:48:51:A1:BA:A9:DC:2A:35:6C
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:OpenWrt
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:45:02:20:61:53:c7:b7:96:a2:3f:9e:1c:f6:a4:e0:2f:29:
1b:25:d7:08:86:2e:7c:9b:b8:32:69:54:13:8a:6a:ed:b1:54:
02:21:00:c5:69:70:9e:70:22:7c:1a:84:34:6b:27:95:e8:77:
48:da:e1:08:84:5c:51:4a:50:1c:80:84:fe:9d:05:dc:69
```
mbedTLS
```
root@router6000:/etc# opkg install -force-reinstall --force-overwrite /etc/px5g-mbedtls_11_aarch64_cortex-a53.ipk
No packages removed.
Installing px5g-mbedtls (11) to root...
Configuring px5g-mbedtls.
root@router6000:/etc# rm /etc/uhttpd.*
root@router6000:/etc# /etc/init.d/uhttpd restart
4+0 records in
4+0 records out
Generating EC private key
Generating selfsigned certificate with subject 'C=ZZ,ST=Somewhere,L=Unknown,O=OpenWrtf8ae1403,CN=OpenWrt,' and validity 20240502172239-20250603172239
root@router6000:/etc# openssl x509 -text -noout -in /etc/uhttpd.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4882544200690792491 (0x43c24814ea51782b)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = ZZ, ST = Somewhere, L = Unknown, O = OpenWrtf8ae1403, CN = OpenWrt
Validity
Not Before: May 2 17:22:39 2024 GMT
Not After : Jun 3 17:22:39 2025 GMT
Subject: C = ZZ, ST = Somewhere, L = Unknown, O = OpenWrtf8ae1403, CN = OpenWrt
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:0c:03:0f:d6:32:17:8f:0a:6f:e8:3c:47:6d:46:
b8:df:d9:86:e4:f5:d5:bb:41:c7:70:48:3d:b4:5e:
d4:2d:65:f1:b8:35:1d:03:70:b0:98:08:24:9a:a1:
17:c3:59:f2:9f:9f:ca:8f:fd:c7:57:0d:0c:3b:ea:
17:11:ef:d3:d6
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
63:C0:F6:A8:71:62:A3:CD:E7:78:03:F1:B6:D1:6A:8E:66:74:12:7E
X509v3 Authority Key Identifier:
63:C0:F6:A8:71:62:A3:CD:E7:78:03:F1:B6:D1:6A:8E:66:74:12:7E
X509v3 Subject Alternative Name:
DNS:OpenWrt
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:44:02:20:1e:cb:72:56:e8:b9:be:f7:87:b4:83:eb:a4:1b:
51:f2:75:9e:3b:27:65:4c:36:7a:bb:36:20:65:05:44:23:83:
02:20:13:75:83:8b:90:2d:28:61:86:8f:5f:94:c1:b6:f1:26:
fd:c6:f7:64:ca:25:42:43:05:33:85:d9:29:fc:9c:01
```
WolfSSL
```
root@router6000:/etc# opkg install -force-reinstall --force-overwrite /etc/px5g-wolfssl_9_aarch64_cortex-a53.ipk
No packages removed.
Installing px5g-wolfssl (9) to root...
Configuring px5g-wolfssl.
root@router6000:/etc# rm /etc/uhttpd.*
root@router6000:/etc# /etc/init.d/uhttpd restart
4+0 records in
4+0 records out
Generating EC private key
Generating selfsigned certificate with subject '/C=ZZ/ST=Somewhere/L=Unknown/O=OpenWrt2ddb3f07/CN=OpenWrt' and validity 20240502172412-20250603172412
root@router6000:/etc# openssl x509 -text -noout -in /etc/uhttpd.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
07:00:5f:27:83:f2:3a:2d:1b:a1:d2:fa:85:88:78:35
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = ZZ, ST = Somewhere, L = Unknown, O = OpenWrt2ddb3f07, CN = OpenWrt
Validity
Not Before: May 1 17:24:12 2024 GMT
Not After : Jun 3 17:24:12 2025 GMT
Subject: C = ZZ, ST = Somewhere, L = Unknown, O = OpenWrt2ddb3f07, CN = OpenWrt
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:b1:00:03:2c:30:4a:fe:ad:77:17:98:95:56:43:
ee:7c:63:09:df:d1:ae:2f:d3:4b:4c:36:8b:c3:28:
2b:49:ba:9a:50:81:6e:1c:14:e4:1b:ea:5a:c6:9c:
a3:c0:5a:b3:8d:a9:ae:38:59:10:83:e7:3f:84:df:
20:ce:30:cb:ff
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:OpenWrt
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:45:02:20:59:24:c3:9e:9f:74:86:91:1f:a0:3d:1d:d4:a5:
b4:9d:61:f6:6d:4f:76:7d:0d:53:8b:65:83:94:c6:d5:9c:2e:
02:21:00:fe:7b:d4:3c:75:23:71:07:0d:2b:13:0b:3c:2a:be:
67:20:09:f7:7b:0d:ca:69:72:6e:c7:a3:f2:f2:77:04:17
```
For reference, a current cert generated by uhttpd with OpenSSL without the new parameters:
```
root@router4:~# openssl x509 -text -noout -in /etc/uhttpd.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:0b:8d:7a:fd:d1:da:33:01:c3:71:57:f0:56:2e:03:eb:39:73:bf
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = ZZ, ST = Somewhere, L = Unknown, O = OpenWrt08f8a59c, CN = OpenWrt
Validity
Not Before: Jun 17 15:48:27 2021 GMT
Not After : Jun 17 15:48:27 2023 GMT
Subject: C = ZZ, ST = Somewhere, L = Unknown, O = OpenWrt08f8a59c, CN = OpenWrt
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:64:d6:31:2b:a1:73:dc:ef:ac:62:1b:31:79:72:
83:61:26:41:c0:fd:ec:83:e1:92:f6:a7:69:3e:b8:
a3:58:e0:c1:d2:5c:4f:80:3d:64:12:ac:0d:cb:c3:
da:0b:3d:6f:19:fb:f0:e9:69:5c:17:84:17:fa:c1:
af:ba:b3:fa:87
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
29:10:B0:92:63:2A:E4:DC:39:2B:3D:1D:C8:62:93:78:D3:83:4A:31
X509v3 Authority Key Identifier:
29:10:B0:92:63:2A:E4:DC:39:2B:3D:1D:C8:62:93:78:D3:83:4A:31
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:45:02:20:78:56:3f:10:9a:e4:6f:92:90:ef:08:06:26:b2:
5b:d6:64:6e:fc:c6:2c:f8:1e:96:c7:83:e6:aa:d8:22:f2:f7:
02:21:00:cc:14:86:1c:22:e3:9b:8c:42:39:58:61:f1:7a:cb:
cc:c7:2c:a7:f9:92:d5:89:ce:d8:ae:bf:23:f4:b4:2e:39
```
1 Like
I see. However I am running into this error even if I do what I am supposed to do acording to the github issue (so it seems it would not help me).
I have this file supi_hnizdo.conf:
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
string_mask = utf8only
[req_distinguished_name]
C = world
ST = state
L = city
O = myorg
OU = myunit
CN = supi_hnizdo.lan
[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = supi_hnizdo.lan
IP.1 = 192.168.2.1
IP.2 = 2a03:a900:1000:22b1::1
~
I then run:
openssl req -x509 -nodes -days 365 -newkey ec:<(openssl ecparam -name prime256v1) -keyout supi_hnizdo.key -out supi_hnizdo.crt -config supi_hnizdo.conf
/etc/init.d/uhttpd restart
my /etc/config/uhttpd is like this:
config uhttpd 'main'
list listen_http '0.0.0.0:80'
list listen_http '[::]:80'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
option redirect_https '0'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/ssl/supi_hnizdo.crt'
option key '/etc/ssl/supi_hnizdo.key'
option cgi_prefix '/cgi-bin'
list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
option ubus_prefix '/ubus'
config cert 'defaults'
option days '730'
option key_type 'ec'
option bits '2048'
option ec_curve 'P-256'
option country 'ZZ'
option state 'Somewhere'
option location 'Unknown'
option commonname 'OpenWrt'
On my machine, I run
scp root@192.168.2.1:/etc/ssl/supi_hnizdo.crt .
certutil -d sql:$HOME/.pki/nssdb -A -t "CT,C,c" -n supi_hnizdo -i supi_hnizdo.crt
And then I get the ""NET::ERR_CERT_INVALID" without being able to override it (unless I type "thisisunsafe").
If I run certutil -d $HOME/.pki/nssdb -D -n supi_hnizdo
I can then override the error (after each time I run certutil, I restart the browser). This is all on Chrome, Firefox just accepts the certificate and is happy. I forgot to add I am on 23.05 on Belkin RT3200.