Install a custom certificate

Hi there, I downloaded the latest OpenWRT version available (19.07.3) today for my linksys WRT2300ACM. One of the first things I wanted to do was to install a custom self-signed certificate, unfortunately I've been dealing with that for hours and I still can't make it work.

I followed the steps here
https://openwrt.org/docs/guide-user/luci/luci.essentials#installation to install luci-ssl-nginx, and then I also followed the steps here https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings to update the certificate and private key file through LuCI.

I'd like to say that I'm fairly familiar with SSH, TLS/SSL Certificates and Linux, and I do understand the process described in those links, particularly the last one, but having said that I wouldn't call my self an expert since I don't do this everyday and I may be doing something wrong.

I initially tried installing my own self-signed certificate which I generated using openssl on a Linux machine. I also generated and installed a CA certificate for my computer and used that CA to sign the new router certificate, then I copied the router certificate and private key files to /etc/ssl on the router using SFTP (installed previously). Here I started following the steps to select my CRT and KEY files through LuCI (Services > uHTTPd), clicked Save and Apply, Rebooted the router, refreshed the browser but nothing changed, I still see the old certificate on the browser.

I verified the configuration file manually (/etc/config/uhttpd) by SSHing into the router and it looks good, the configuration file shows the correct path for the files.
option cert '/etc/ssl/router.crt'
option key '/etc/ssl/router.key'

I've gone through the same process with some variations, copied the files to /etc, /etc/ssl, /etc/ssl/certs and /etc/ssl/private, every time I make a change I save the files or use "Save and Apply" if I'm in the GUI and restart uhttpd either through to the GUI or with "services uhttpd restart" or even reboot the router if that doesn't work. It doesn't matter what I do, the router won't pick up the new files, it is still serving the original files created during the installation. I even deleted the CRT and KEY files on the router (/etc/uhttpd.crt and /etc/uhttpd.key) and all the files I created, rebooted and the router is still serving the original CRT and KEY files... how is it serving the original files if I deleted them!?

It all makes me believe that the original certificate and key files are cached somewhere. LuCI is correctly updating the configuration file (/etc/config/uhttpd) but that doesn't matter because the router won't pick up the files.

I also cleared the cache in my browser several times, but that didn't make any difference either.

My last test was to follow the steps in the second link above religiously, I only updated the DNS and IP, and that didn't work either.

I'm out of ideas, appreciate any help!

This is the wrong config file for your used nginx webserver!
Nginx currently has no config in /etc/config and has to be configured in /etc/nginx/conf.d/.

For adding a config to /etc/config, there are currently two pull requests that are RFC.


2 Likes

Hi Juppin, your comment put me back on the right track again. I installed nginx assuming it shared the same settings as uhttpd and that's what got me confused. I uninstalled nginx since I'm not really interested in using it at this time, and followed the steps in my second link (https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings) to verify and now I do see OpenWRT picking up the certificate. Then I used my self-signed certificates and after some tweaking I was able to generate a certificate that's compatible with modern browsers (includes SAN), validated by my own CA and that won't generate any errors in the browser.

Thanks your your help!

In case anybody else is going through this same process, here's a guide that might help you:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.