HTTPS not possible with snapshot image


I just installed OpenWrt snapshot image to my Netgear WNDR3700v5. I had to install uhttpd and luci and some luci-app's manually since they are not present in the snapshot.
I configured my uhttpd to redirect to https and provided the certificate and the key path.
What I noticed when using luci-ssl-openssl uhttpd doesn't start at all, neither after stopping and starting nor after reboot, unless I do it from the cli.
So I decided to replace luci-ssl-openssl with luci-ssl and uhttpd start working properly and I can login.
Unfortunately https is not working. I am using self signed certificate generated with openssl.
On my TP-Link-TL-WR1043ND every thing was OK. All my self hosted applications are accessible with https. So there is no problem with that.
I appreciate any help on this.
Thanks a lot. My config are below:

 root@OpenWrt:~# cat /etc/config/uhttpd 
# Server configuration
config uhttpd main

	# HTTP listen addresses, multiple allowed
	list listen_http
	list listen_http	[::]:80

	# HTTPS listen addresses, multiple allowed
	list listen_https
	list listen_https	[::]:443

	# Redirect HTTP requests to HTTPS if possible
	option redirect_https	1

	# Server document root
	option home		/www

	# Reject requests from RFC1918 IP addresses
	# directed to the servers public IP(s).
	# This is a DNS rebinding countermeasure.
	option rfc1918_filter 1

	# Maximum number of concurrent requests.
	# If this number is exceeded, further requests are
	# queued until the number of running requests drops
	# below the limit again.
	option max_requests 3

	# Maximum number of concurrent connections.
	# If this number is exceeded, further TCP connection
	# attempts are queued until the number of active
	# connections drops below the limit again.
	option max_connections 100

	# Certificate and private key for HTTPS.
	# If no listen_https addresses are given,
	# the key options are ignored.
	option cert		/etc/ssl/certs/
	option key		/etc/ssl/private/

	# CGI url prefix, will be searched in docroot.
	# Default is /cgi-bin
	option cgi_prefix	/cgi-bin

	# List of extension->interpreter mappings.
	# Files with an associated interpreter can
	# be called outside of the CGI prefix and do
	# not need to be executable.
#	list interpreter	".php=/usr/bin/php-cgi"
#	list interpreter	".cgi=/usr/bin/perl"

	# List of prefix->Lua handler mappings.
	# Any request to an URL beneath the prefix
	# will be dispatched to the associated Lua
	# handler script. Lua support is disabled when
	# no handler mappings are specified. Lua prefix
	# matches have precedence over the CGI prefix.
	list lua_prefix		"/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua"

	# Specify the ubus-rpc prefix and socket path.
#	option ubus_prefix	/ubus
#	option ubus_socket	/var/run/ubus.sock

	# CGI/Lua timeout, if the called script does not
	# write data within the given amount of seconds,
	# the server will terminate the request with
	# 504 Gateway Timeout response.
	option script_timeout	60

	# Network timeout, if the current connection is
	# blocked for the specified amount of seconds,
	# the server will terminate the associated
	# request process.
	option network_timeout	30

	# HTTP Keep-Alive, specifies the timeout for persistent
	# HTTP/1.1 connections. Setting this to 0 will disable
	# persistent HTTP connections.
	option http_keepalive	20

	# TCP Keep-Alive, send periodic keep-alive probes
	# over established connections to detect dead peers.
	# The value is given in seconds to specify the
	# interval between subsequent probes.
	# Setting this to 0 will disable TCP keep-alive.
	option tcp_keepalive	1

	# Basic auth realm, defaults to local hostname
#	option realm	OpenWrt

	# Configuration file in busybox httpd format
#	option config	/etc/httpd.conf

	# Do not follow symlinks that point outside of the
	# home directory.
#	option no_symlinks	0

	# Do not produce directory listings but send 403
	# instead if a client requests an url pointing to
	# a directory without any index file.
#	option no_dirlists	0

	# Do not authenticate any ubus-rpc requests against
	# the ubus session/access procedure.
	# This is dangerous and should be always left off
	# except for development and debug purposes!
#	option no_ubusauth	0

	# For this instance of uhttpd use the listed httpauth
	# sections to require Basic auth to the specified
	# resources.
#	list httpauth prefix_user

# Defaults for automatic certificate and key generation
config cert defaults

	# Validity time
	option days		3650

	# RSA key size
	option bits		2048

	# Location
	option country		DE
	option state		Somewhere
	option location		Home

	# Common name
	option commonname	'OpenWrt'

# config httpauth prefix_user
#	option prefix /protected/url/path
#	option username user
#	option password 'plaintext_or_md5_or_$p$user_for_system_user'
root@OpenWrt:~# ll /etc/ssl/certs/ 
-rw-r--r--    1 root     root           913 Jul 29 15:59 /etc/ssl/certs/
root@OpenWrt:~# ll /etc/ssl/private/ 
-rw-r-----    1 root     root          1675 Jul 29 15:59 /etc/ssl/private/

logread might be of use...

Hi wulfy23,

the permissions of the key file shouldn't be a problem, since the process is owned by root, never the less I changed it to 644. The problem is still there. Here is relevant logread output:

Mon Jul 29 18:36:07 2019 daemon.err uhttpd[28738]: Failed to load certificate/key files
Mon Jul 29 18:36:07 2019 procd: Instance uhttpd::instance1 s in a crash loop 7 crashes, 0 seconds since last crash

I tried the following:

root@OpenWrt:~# openssl x509 -in /etc/ssl/certs/  -text -noout
unable to load certificate
2012864064:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

So I vimed the cert file and there was some crypted strings and characters! I don't know how this could happen. I have the wild card cert else where, so I just verified that it was the right one and copied it to my router.
Now all good.

Thanks a lot.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.