Is this page outdated? "getting rid of luci https certificate warnings?"

I am baffled by this page.
https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings

It describes how to deal with a problem I'm having with SSL, but section 7 on the page makes a reference doing something with LuCI which doesn't look anything like the current LuCI menu/page structure (Using OpenWRT 18.06.1)

In LuCi, go to Services → uHTTPd

  • In the field for HTTPS Certificate, paste /etc/ssl/mycert.crt

  • In the field for HTTPS Private Key, paste /etc/ssl/mycert.key

  • Hit save and apply.

The only place I can find anything about Services in LuCI is the System>Startup page, which will do various things to start and stop services, but has no sub-page apparent for any service, and no sign of the referenced fields.

I am guessing that there might be a way of doing this by editing /etc/init.d/uhttpd but I am a bit scared of breaking anything, (Yes, I know, back-up the file before editing, but we are dealing with logging in to the router... I am not an expert on Linux.)

Essentially, this needs checking to be sure it points to the right part of LuCI, and maybe re-phrasing. If there is a non-LuCI way of doing the job, that needs documenting too.

Did you do step 2?

opkg update && opkg install openssl-util luci-app-uhttpd

It should install the option in LuCi. You can install the packages openssl-util and luci-app-uhttpd from LuCi instead if you like.

1 Like

Close, but the non-LuCI way would be /etc/config/uhttpd

The lines that need to be changed are:
option cert '/etc/uhttpd.crt'
and
option key '/etc/uhttpd.key'

You will need to ssh into your router then cd /etc/, and finally scp the certificate files via the command scp -r user@your.desktop.example.com:/path/to/ssl /home/user/Desktop/ (assuming your certificate files are stored in a folder called ssl on a linux desktop).

This isn't really necessary anymore since LuCI generates its own self-signed certificate on first boot. You'd only really want to do this if you want to make your certificate last longer than 2 years by changing the days parameter in the command to whatever many days you want the certificate to not expire.

openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout mycert.key -out mycert.crt -config myconfig.conf

EDIT: At least on Linux you can generate the certificates on any distro that has openssl installed by default. Thereby skipping any need to install bloat packages that will only be used once on your router. My scp instructions assume you generate the certificate files on a Linux or BSD(+OS X) distro.

I ran through that again. No difference, Did a remove followed by an install and that did make the Service menu available. Have I been caught out by a glitch somewhere?

After the restart, the browser login failed. Had to clear the browser cache, which is a known problem that may be worth a mention.

Download and install Chrome... At least the login is working, but the described way of getting at the certificate still doesn't work.... It looks like the Chrome UI has changed.

And then another answer that suggests this has all been a waste of time since LuCI does all this automatically...

Why, if being careful has to be so awkward, does anyone bother?

What are you being careful about?
I hope you're not opening your LuCI page to the Internet. That's quite dangerous.

I hope I am not doing that, but it is beginning to feel as if getting some basic security with a web browser is about as easy as locking your front door while standing on your head and playing "Apache" on a ukelele.