Issue following guide "How to get rid of LuCI HTTPS certificate warnings"

Guide : https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings

Hi,
While trying to verify my HTTPS certificates, I reached an issue at this stage:

Then issue the following command:

openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout mycert.key -out mycert.crt -config myconfig.conf

This will create two files, `mycert.key` and `mycert.crt`
Alternatively you can create ECDSA certificate (to speedup key exchange phase) with the following command:

openssl req -x509 -nodes -days 730 -newkey ec:<(openssl ecparam -name prime256v1) -keyout mycert.key -out mycert.crt -config myconfig.conf

I tried both options, both resulting in errors over SSH.

The second option, which I would prefer to implement, resulted in this response:

root@OpenWrt:/etc/ssl# openssl req -x509 -nodes -days 730 -newkey ec:<(openssl ecparam -name prime256v1) -keyout mycert.key -out mycert.crt -config myconfig.c
onf
Can't open parameter file /dev/fd/64
140395534695240:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:273:group=req name=default_bits
140395534695240:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/dev/fd/64','r')
140395534695240:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
root@OpenWrt:/etc/ssl#

Could anyone tell me if I've gone wrong, or whether another method is now needed?

For the first option, maybe the error comes from there:

In /etc/ssl, open openssl.cnf

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= AU
countryName_min			= 2
countryName_max			= 2

Your myconfig.conf file should look like this:

[req]
distinguished_name  = req_distinguished_name
x509_extensions     = v3_req
prompt              = no
string_mask         = utf8only

[req_distinguished_name]
C                   = XX (# Max 2 letters, otherwise fail
ST                  = xxxxxx
L                   = yyyyyy
O                   = OpenWrt
OU                  = Home Router
CN                  = openwrt

[v3_req]
keyUsage            = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage    = serverAuth
subjectAltName      = @alt_names

[alt_names]
DNS.1               = openwrt
IP.1                = 192.168.x.1

If I'm understanding this correctly, a method of making this work would be to leave the myconfig.conf file with default values and make it receive defaults from openssl.cnf? OR am I getting the wrong idea?

This is how my myconfig.conf currently reads:

root@OpenWrt:~# cat /etc/ssl/myconfig.conf
tinguished_name  = req_distinguished_name
    x509_extensions     = v3_req
    prompt              = no
    string_mask         = utf8only
     
    [req_distinguished_name]
    C                   = US
    ST                  = US-NY
    L                   = Example
    O                   = OpenWrt
    OU                  = Home Router
    CN                  = luci.openwrt
     
    [v3_req]
    keyUsage            = nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage    = serverAuth
    subjectAltName      = @alt_names
     
    [alt_names]
    DNS.1               = luci.openwrt
    IP.1                = 192.168.2.1
root@OpenWrt:~# 

In fact, there are only 3 changes to make to the myconfig.conf file:
C:
ST:
L:

The values for CN and DNS.1 match, and also that IP.1 has the correct private IP address for the device.

Reading openssl.cnf, it gives you the instructions for the number of letters, ST: Region and L: city. I use these terms because I am in France. You have to adapt it to the names of your country.

I don't have much knowledge, I learn from my mistakes, hope this helps.

The uhttpd file should look like this:

config uhttpd 'main'
	list listen_http '0.0.0.0:80'
	list listen_http '[::]:80'
	list listen_https '0.0.0.0:443'
	list listen_https '[::]:443'
	option redirect_https '1'
	option home '/www'
	option rfc1918_filter '1'
	option max_requests '3'
	option max_connections '100'
	option cgi_prefix '/cgi-bin'
	list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
	option script_timeout '60'
	option network_timeout '30'
	option http_keepalive '20'
	option tcp_keepalive '1'
	option ubus_prefix '/ubus'
	option cert '/etc/ssl/mycert.crt'
	option key '/etc/ssl/mycert.key'

config cert 'defaults'
	option days '730'
	option key_type 'ec'
	option bits '2048'
	option ec_curve 'P-256'
	option country 'XX'
	option state 'yyyyyyyyyyy'
	option location 'zzzzzz'
	option commonname 'OpenWrt'

Otherwise, a member will be able to help you

Have a good day

Thanks, unfortunately I still have the problem. If anyone could troubleshoot further I'd greatly appreciate.

this is bashism not supported by ash.

try this way:

openssl ecparam -name prime256v1 | tee ec.param
openssl req -x509 -nodes -days 730 -newkey ec:ec.param -keyout mycert.key -out mycert.crt -config myconfig.conf

Thank you, this worked perfectly.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.