Luci/httpd busted after trying to move to https://

Linksys WRT1200AC running Lede git from a few days ago.

Botched something, and uhttpd is running:

2938 root 3180 S /usr/sbin/uhttpd -f -h /www -r bogon-gateway-1 -x /cgi-bin -u /ubus -t 60 -T 30 -k 20 -A 1 -n 3 -N 100 -R -C /etc/uhttpd.crt -K /etc/uhttpd.key -s -s [::]:443 -q

Chrome and Firefox refuse to connect because it's (apaprently) an unrecognized self-signed key, and wget reports a 403 Forbidden.

I have ssh access to it, and it is routing packets OK. I also have a backup sysupgrade.bin which I can't load via Luci for obvious reasons. I'm unable to figure out where uhttpd is being told to listen on 443 with SSL, so I can whack it to use http on port 80 which should then work.

ANy hints where to crowbar this in the twisty maze of symlinks, or otherwise persuade it to play nice?

To quote Emily Litella from SNL: "Nevermind".

Applied a sledgehammer to /etc/config/uhttpd and got things back enough for now. :slight_smile:

You can define exception in Firefox to stop it from complaining about the router's selfsigned certificate.

If you are using a new 16.0 version of firefox mobile you will find it impossible to get it to recognise the default uhttpd certificate. To overcome this you need to do two things. Firstly create a new self signed ca cert and get this into firefox mobile's root ca store. Secondly use this ca cert to sign a server certificate and add the correct pkix x509v3 extensions, then install this cert as the uhttpd cert.

I found that the easiest way to do this was to use the easy-rsa ca software. This is available as a package for openwrt and other linux distros. However you will need it to be at least version 3.0.

Set up your ca and thTjeen use the following command to generate a server cert.

./easyrsa --subject-alt-name=DNS:your.router.fqdn,IP:xxx.yyy.zzz.www build-server-full peglegpete nopass

The only way you can get a ca cert into firefox mobile is to down load it from a web server that serves it up with the correct mime type. I did this by copying the easy-rsa ca.crt into a directory under the web root of an apache server along with an .htaccess file with the following line in it.

AddType application/x-x509-ca-crt              .crt

Have fun!