"Open or Forward LUCI Port for external access."?

ChrisS · May 10, 2020, 4:25pm

In the directions for How to run (acme.sh) on OpenWRT, the 4th and final item says:

What does this piece of shorthand mean? It's not clear to me how to do what the directions are asking me.

shm0 · May 10, 2020, 4:38pm

Hi!
I think the openwrt acme script wrapper automatically opens the port(s).
Line 123-124

github.com

openwrt/packages/blob/openwrt-19.07/net/acme/files/run.sh

#!/bin/sh
# Wrapper for acme.sh to work on openwrt.
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation; either version 3 of the License, or (at your option) any later
# version.
#
# Author: Toke Høiland-Jørgensen <toke@toke.dk>

CHECK_CRON=$1
ACME=/usr/lib/acme/acme.sh
export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
export NO_TIMESTAMP=1

UHTTPD_LISTEN_HTTP=
STATE_DIR='/etc/acme'
ACCOUNT_EMAIL=
DEBUG=0
NGINX_WEBSERVER=0

This file has been truncated. show original

ChrisS · May 10, 2020, 4:46pm

There is no run.sh on my openWRT installation that I can find.

I'm slightly borked right now. Chrome doesn't even recognize 192.168.1.1 at all. It doesn't even fail the certificate. It just says:

I'm convinced this is because I haven't completed the 4th item in the directions, Open or Forward LUCI Port for external access.

shm0 · May 10, 2020, 5:07pm

You don't have: /usr/lib/acme/run-acme ?
This script should be automatically called.
I use dns api, so I have no experience with standalone mode.
But as I understand this, acme starts/modify the existing uhttpd config, so letsencrypt can verify everything?
What does the acme log show? (Enable debug logging)
And I also recommend to use staging when testing around otherwise it is possible that letsencrypt will block you for 1 hour.

ChrisS · May 10, 2020, 6:26pm

Yes, the system has /usr/lib/acme/run-acme (which is not the same as run.sh). Ok, I enabled debug logging on the ACME certificates page and restarted acme with /etc/init.d/acme start. However, I am not finding a log file with find / -print | grep acme.sh.log. Anyways, I can't find a log for acme.

I rebooted and Chrome now finds 192.168.1.1 but fails on the certificate. Firefox also fails the certificate but I can walk past the failure on Firefox but not on Chrome.

That said, what does Open or Forward LUCI Port for external access mean?

krazeh · May 10, 2020, 6:32pm

I assume your router is 192.168.1.1? Are you trying to access it from outside your local network?

ChrisS · May 10, 2020, 6:33pm

I'm only trying to access it inside my local area network.
What I'm really trying to do is use https for LUCI inside my local area network.

krazeh · May 10, 2020, 6:34pm

Then you're not needing external access so you don't need to open or forward any ports.

SSH into your router and paste the output of 'cat /etc/config/acme' here. Remove any personal info like emails or passwords and use the 'preformatted text' option (its the </> above the text box).

ChrisS · May 10, 2020, 7:02pm

That's what I thought as well. However, the directions really should mention that this step is optional.

Any guess as to why the certificate is still bouncing? I rebooted and I'm still not seeing an acme log file.

At this point, I think I must have borked something and so I am going to re-install and start over with a fresh openWRT.