LuCI with https doesn't work

pischta · June 13, 2018, 9:28am

Hi,

I installed Lede 17.01.4 on a TP-Link router, and I want to use its web interface through https. I followed this doc for it:
https://openwrt.org/docs/guide-user/luci/getting-rid-of-luci-https-certificate-warnings
Unfortunately, I still cannot connect to it with https. I think, my cert is correct. I wanted to check logs, but I found no logs! In /var/log there are lastlog and wtmp, but they are empty. According to ps, /sbin/logd -S 64 is running.

stangri · June 13, 2018, 1:03pm

More precisely -- what exactly happens?

It's logread CLI command on OpenWrt/LEDE.

pischta · June 14, 2018, 7:38am

"nothing" Browser cannot connect.

Thanks, it works, but there is nothing about the connection

shelterx · June 14, 2018, 9:34am

I had the same issue once. HTTPS just stopped working, I don't know what caused it but it resolved itself after a few flashes with the firmware I am using. As a workaround I enabled http access until it got resolved.

JW0914 · June 24, 2018, 3:25pm

Are you using Chrome? Does it occur with any other browser?

The RFC depreciated using the CN for IP & DNS names over two decades ago due to the ability to exploit a connection using a cert with an IP or DNS as it's CN. Chrome finally dropped support for IP & DNS names in the CN about a year ago. (I've corrected the wiki linked to in the OP)

The correct way to specify IP and DNS names are in the SAN profile. You can utilize the OpenSSL Certificates wiki to generate a self-signed CA to sign the SSL cert with

It should be noted while the luci-ssl packages & the wiki linked to in the OP will generate a self-signed cert, this is the laziest and most insecure way of securing HTTPS, as it opens up the possiblity of a MITM attack.

While a MITM attack is unlikely on a LAN, the potential exists and will always remain... considering it's quite easy to generate a self-signed CA and use that self-signed CA to sign the SSL cert, there's no reason why this should not be the norm.
Either way, you can utilize the OpenSSL Certificates wiki to generate the self-signed CA and signed SSL cert.

yaravawiba · August 17, 2018, 4:53pm

Hello,

Thanks. Unfortunately I have the mbedtls-utils package installed, is there a guide for that?

What method does luci-ssl use to generate the self-signed cert? Is there any way to change that process and update it to generate the self-signed cert the correct, secure way?

JW0914 · August 18, 2018, 12:16am

You can find the script blocks within the /etc/init.d/uhttpd script

There is no such thing as a secure self-signed cert, as, by definition, it lacks a chain of trust, having no way to verify it's validity, of which makes a MITM attack possible.

While the OpenSSL Certificates wiki is under the VPN section, the exact same steps can be utilized to create a self-signed CA, which can then be used to sign the uhttpd [LuCI] cert (if you were using openssl).

Since you're using mbed, I couldn't tell you what the method is for it, as I've never used anything other than openssl
If you have multiple routers/servers, it's recommended to create a self-signed master CA that's used exclusively to only sign other ICAs (each router and VPN server should have their own ICA).
- Chain of Trust:
  - Master CA
    1. Router ICA
      - LuCI Web Server Cert
      - Router VPN ICA
        -- OR --
    2. Router VPN ICA