Remove HTTPS certificate warnings won't work

Hello,

i used this tutorial, but it doesn't work for firefox and chrome (i've tested no other browsers). Still the same error message like without installing uhttp and certificates.

I think its related to wrong dns.1 and common name (cn). How can i show the right values?

Best regards

Gillan

if the certificate sits on your openwrt device, how is it related to DNSes and FF/Chrome ?

Yes, the generated certificate sits on my openwrt device via uhttp. I installed it in chrome and ff.

Maybe it does not work because of dns forward (127.0.0.1#5453) for stubby?

Ok, that's the actual error message (in english) ?

depend what you're forwarding, and where.

is it a public cert, or self signed ?

1 Like

I think it's self signed. Must be:

openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout mycert.key -out mycert.crt -config myconfig.conf

Error message of chrome is:

NET::ERR_CERT_AUTHORITY_INVALID

Well, in that case it's a fair warning, since your cert cannot be verified.

Getting rid of the warning isn't really an openwrt issue.

Firefox says:

SEC_ERROR_UNKNOWN_ISSUER

How i can get rid of this?

get a publicly verifiable cert, or skip https.
if you have a public IP, you could use acme.sh to achieve this, for free.

How do i know the browser is using the uhttp server for getting cert information?

this has nothing to do with the uhttp web server, the cert is the issue.

Which service for getting public cert you would use?

I found this:

https://www.cacert.org/index.php?id=1

Ok. Thanks. But where i could find the cn and dns.1? I used values which has been mentioned by the tutorial. I don't know if it's really matching my routers values.

Did you actually install the cert in the computer/webbbrowser you are using to connect to the router?

CN and DNS.1 is free for you to choose, but have to be publicly ( = over internet) verifiable.

Of course. But if i need a public cert it's pretty useless. The tutorial should mention it.

@frollic

Good to know.

Some people mentioned uhttp is insecure, a security risk. So i wont use it.

With the default settings in uhttpd and the generated self-signed cert with the normal defaults, Firefox just needs an exception to be defined the first time you connect to the router, and the warnings quiet down.

You define an exception by saying that you trust the certificate the router generated for you a few seconds ago, and you are ok to go.

If you want a public cert, you also need a public DNS name etc. (at least DDNS connectivity).

Where? News to me.

Normally the web server for LuCI is only exposed to the LAN side, not to the internet on the WAN, as pretty much all traffic from the WAN is blocked by the firewall, so there aren't that many attack vectors.

No idea why @trendy decided to discourage from installing uhttpd. It is not a large commercial http server, but on the other hand, its functionality is limited, so the exposed functional attack surface would be limited in any case.

Ps. Note that trendy was talking about exposing the webserver to internet, not about using it just in the local LAN, like most of us do.

https works to protect the user from connecting to a man in the middle fake site, and against traffic being eavesdropped.

It does nothing to protect the server from being hacked.

2 Likes