Not Secure @ Login

Installing and Using OpenWrt
1

Does anyone know the simplest way to install a root certificate into my router. I have a R7800 with LEDE Reboot 17.01.4 installed. I tried to follow this wiki (How to get rid of LuCi https certificate warnings) but got turn around when trying to create the myconfig. I am new to this but am not afraid of ssh'ing. I will be using terminal to ssh by the way. Thanks ahead for any help.

2

Link...

https://lede-project.org/docs/user-guide/getting-rid-of-luci-https-certificate-warnings

Take your time and read it over as many times as you need to...but it's mostly "cut and paste".

3

Ok. I will give it another go.

4

If you are a Windows user, download and run WinSCP...

https://winscp.net/eng/download.php

You could use Notepad to create the myconfig.conf file in Step 3, and then copy it to /etc/ssl using WinSCP.

Copy the example of myconfig.conf and paste it into Notepad (or your favorite text editor) and modify the sections that pertain to you.

You can also use PuTTY to do the SSH connection...

http://www.putty.org/

5

Getting this error:
root@R7800:~# openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout mycert
.key -out mycert.crt -config myconfig.conf
error on line -1 of myconfig.conf
3069273280:error:02001002:lib(2):func(1):reason(2):NA:0:fopen('myconfig.conf','rb')
3069273280:error:2006D080:lib(32):func(109):reason(128):NA:0:
3069273280:error:0E078072:lib(14):func(120):reason(114):NA:0:

6

If your router actually acts as your internet gateway, luci-app-acme might be another option by automatically fetching a real (letsencrypt) certificate (that requires you to actually own a domain name though).

1 Like
7

Post your myconfig.conf file.

8

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = GA
L = R7800
O = Home
OU = Router
CN = 192.168.1.1
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = 192.168.1.1
IP.1 = 192.168.1.1

9

One other question the other config files in my ssl folder have an extension of .cnf but in the LEDE wiki it said to use .conf. Will that make a difference?

10

There are a bunch of files with the .conf extension...

What are the owner and permissions on myconfig.conf?

11

@rxman4453 Yes, it should end in .cnf, not .conf (it should also be openssl.cnf in the wiki, not myconfig.cnf)

The wiki also creates an insecure, self-signed cert which isn't acceptable.

  • While it's unlikely this would ever pose a threat to an arbitrary home user, if one is going to do something, do it right the first time around.

.
I created a custom openssl.conf with security in mind a while back, containing all information & commands required (beginning on line 430).

  • The CA and certs should not be generated on the router, but on a separate device, such as a PC, however one can utilize opkg update && opkg install openssl-util to install openssl on the router.

    • If utilizing the router, the openssl.conf needs to be saved at /etc/ssl/openssl.conf

    • OpenSSL doesn't create binaries, so if you opt for the PC, I always recommend installing OpenVPN, which will install the OpenSSL binaries.

      • If installing OpenVPN, I recommend adding C:\Program Files\OpenVPN\bin\ to your Path in Windows, of which will allow you to issue openssl commands in any PowerShell/Command Terminal
        • Control Panel\System and Security\System > Advanced System Settings > Advanced > Environment Variables... > System Variables > Path
12

I appreciate all the help gentlemen. It was just kind of annoying seeing that not secure popup everytime i would log on to my router. I will probably just leave it as is.

13

Speaking of confusing file extensions, you have it named openssl.cnf on GitHub...

14

@jwoods, thanks for catching that, I mis-typed it in my post, which has been corrected.

@rxman4453 It's not recommended to leave it as is because it's a security risk, hence the security warning. You're getting the warning because the current SSL cert being used by uhttpd is self signed, and as such, has no chain of trust. Self-signed certs should never be used for a server period.

  • I don't feel like getting into the weeds, but a google search will provide explanations why one should create a self-signed CA, or CA and ICA, then use that CA or ICA to sign the SSL cert.
15

You may be thinking its way too complicated, however, all that needs to be done to my openssl.cnf is to customize the following lines to your environment:

  1. 157 - 161 (after the = sign)
  2. 183 (Name your CA, replacing Router.1)
  3. 202 (change sophos to your router's model #/name)
  4. 203 (LAN IP of your router)
  5. 205 (Local Domain Name of your router)
  6. 206 (If you have DDNS set up, your ddns. else delete this line)
  7. 342 (change sophos to name chosen for 202)
  8. 348 (change sophos to name chosen for 202)

Perform commands on Lines:

  1. 438
  2. 443
  3. 448
  4. 453
  5. 496
  6. 557
    • Customize the command accordingly (i.e. change NextCloud to the name of your cert, change 3072 to 2048, and v3_nextcloud to name from Line 342, etc.)
      • Once the command is issued, you'll be asked to entire the Subject info for the cert, of which should reflect the changes made on Lines 157 - 161.
        • Due to the SAN [SubjectAltName] (Lines 202 - 206), the Common Name can be whatever you like (for example: WRT1900ACS Web Admin)
  7. 565 (same bullet above applies)

Certs:

  1. Open the CA cert and SSL cert in a notepad, then copy the output from the CA cert below the SSL cert's output and save the changes made.
  2. Add the CA to your Trusted Root Certificate Authorities in Windows Certificate Manager.
    1. Right click on certificate, select Install Certificate
    2. Select Local Machine, then Place all certificates... > Browse > Trusted Root Certificate Authorities > OK
  3. Restart uhttpd: /etc/init.d/uhttpd restart
  4. Close all browser windows, re-open, and you should receive a green Secure lock in the left hand corner of the address bar.
16

Good to find someone with a deep insight.

I build my on CA, so i wanted to know,
What are the minimum packages I need to install to have ssl working?
Is there a way to set up a OCSP responder on LEDE

17

Great job JW0914 but why is this NOT in the Documentation?