LuCI with https doesn't work


I installed Lede 17.01.4 on a TP-Link router, and I want to use its web interface through https. I followed this doc for it:
Unfortunately, I still cannot connect to it with https. I think, my cert is correct. I wanted to check logs, but I found no logs! In /var/log there are lastlog and wtmp, but they are empty. According to ps, /sbin/logd -S 64 is running.

More precisely -- what exactly happens?

It's logread CLI command on OpenWrt/LEDE.

"nothing" Browser cannot connect.

Thanks, it works, but there is nothing about the connection :frowning:

I had the same issue once. HTTPS just stopped working, I don't know what caused it but it resolved itself after a few flashes with the firmware I am using. As a workaround I enabled http access until it got resolved.

Are you using Chrome? Does it occur with any other browser?

The RFC depreciated using the CN for IP & DNS names over two decades ago due to the ability to exploit a connection using a cert with an IP or DNS as it's CN. Chrome finally dropped support for IP & DNS names in the CN about a year ago. (I've corrected the wiki linked to in the OP)

  • The correct way to specify IP and DNS names are in the SAN profile. You can utilize the OpenSSL Certificates wiki to generate a self-signed CA to sign the SSL cert with

It should be noted while the luci-ssl packages & the wiki linked to in the OP will generate a self-signed cert, this is the laziest and most insecure way of securing HTTPS, as it opens up the possiblity of a MITM attack.

  • While a MITM attack is unlikely on a LAN, the potential exists and will always remain... considering it's quite easy to generate a self-signed CA and use that self-signed CA to sign the SSL cert, there's no reason why this should not be the norm.
  • Either way, you can utilize the OpenSSL Certificates wiki to generate the self-signed CA and signed SSL cert.


Thanks. Unfortunately I have the mbedtls-utils package installed, is there a guide for that?

What method does luci-ssl use to generate the self-signed cert? Is there any way to change that process and update it to generate the self-signed cert the correct, secure way?

You can find the script blocks within the /etc/init.d/uhttpd script

There is no such thing as a secure self-signed cert, as, by definition, it lacks a chain of trust, having no way to verify it's validity, of which makes a MITM attack possible.

While the OpenSSL Certificates wiki is under the VPN section, the exact same steps can be utilized to create a self-signed CA, which can then be used to sign the uhttpd [LuCI] cert (if you were using openssl).

  • Since you're using mbed, I couldn't tell you what the method is for it, as I've never used anything other than openssl

  • If you have multiple routers/servers, it's recommended to create a self-signed master CA that's used exclusively to only sign other ICAs (each router and VPN server should have their own ICA).
    • Chain of Trust:
      • Master CA
        1. Router ICA
          • LuCI Web Server Cert
          • Router VPN ICA
            -- OR --
        2. Router VPN ICA
1 Like