Hi all.
I'd like to add a certificate to my Firefox browser to avoid messages about incorrect certificate every time I'm opening web-interface.
Recently I've fount that article
so what I did:
I created new key/cert pair
openssl req -x509 -nodes -days 5397 -newkey rsa:2048 -keyout mycert1.key -out mycert1.crt -config myconfig.conf openssl pkcs12 -export -out mycert1.pfx -inkey mycert1.key -in mycert1.crt
installed .pfx on my system.
certutil -d sql:$HOME/.pki/nssdb -A -t "CT,C,c" -n LuCI -i mycert1.crt
copied and configured new pair to my router
added mycert1.pfx to Firefox browser
But nothing has changed, Firefox is asking about that cert every time.
Where was my mistake?
Thanks in advance.
brada4
August 26, 2024, 12:30pm
2
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
cat /etc/config/uhttpd
1 Like
Here they are:
ubus call system board
{
"kernel": "5.15.150",
"hostname": "mthost34",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "MikroTik hAP ac2",
"board_name": "mikrotik,hap-ac2",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "ipq40xx/mikrotik",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '444444444444444444444'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option macaddr 'AA:AA:AA:AA:AA:AA'
option stp '1'
config device
option name 'lan1'
option macaddr 'AA:AA:AA:AA:AA:AA'
config device
option name 'lan2'
option macaddr 'AA:AA:AA:AA:AA:AA'
config device
option name 'lan3'
option macaddr 'AA:AA:AA:AA:AA:AA'
config device
option name 'lan4'
option macaddr 'AA:AA:AA:AA:AA:AA'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.34.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '192.168.34.1'
config device
option name 'wan'
option macaddr 'BB:BB:BB:BB:BB:BB'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option name 'phy0-ap0'
option macaddr 'CC:CC:CC:CC:CC:CC'
config device
option name 'phy1-ap0'
option macaddr 'DD:DD:DD:DD:DD:DD'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option channel '4'
option band '2g'
option htmode 'HT40'
option txpower '16'
option cell_density '0'
option noscan '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid '11'
option encryption 'sae-mixed'
option key '1111111111111111'
option wpa_disable_eapol_key_retries '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option channel '40'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option txpower '12'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid '22222'
option encryption 'sae-mixed'
option key '22222222222222222'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
list server '/mask.icloud.com/'
list server '/mask-h2.icloud.com/'
list server '/use-application-dns.net/'
list server '127.0.0.1#5053'
list server '127.0.0.1#5054'
list server '127.0.0.1#5055'
list interface 'lan'
list notinterface 'wan'
list notinterface 'wan6'
option doh_backup_noresolv '-1'
option noresolv '1'
list doh_backup_server '/mask.icloud.com/'
list doh_backup_server '/mask-h2.icloud.com/'
list doh_backup_server '/use-application-dns.net/'
list doh_backup_server '127.0.0.1#5053'
list doh_backup_server '127.0.0.1#5054'
list doh_server '127.0.0.1#5053'
list doh_server '127.0.0.1#5054'
list doh_server '127.0.0.1#5055'
config dhcp 'lan'
option interface 'lan'
option start '50'
option limit '150'
option leasetime '20m'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option force '1'
list dhcp_option '4,192.168.34.1'
list dhcp_option '42,192.168.34.1'
list dhcp_option '5,192.168.34.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Block outgoing DNS grom WAN to 53'
option direction 'out'
option device 'wan'
option dest '*'
option dest_port '53'
option target 'DROP'
config rule
option name 'Block forward DNS from LAN to WAN to port 53'
option src 'lan'
option dest 'wan'
option dest_port '53'
option target 'DROP'
config redirect 'dns_int'
option name 'Redirect-DNS-requests-to-router'
option src 'lan'
option src_dport '53'
option proto 'tcp udp'
option family 'any'
option target 'DNAT'
config redirect
option target 'DNAT'
option name 'Redirect-NTP-requests-to-router'
option family 'any'
option src 'lan'
option src_dport '123'
list proto 'tcp'
list proto 'udp'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
cat /etc/config/uhttpd
config uhttpd 'main'
list listen_http '192.168.34.1:34567'
list listen_https '192.168.34.1:45678'
option redirect_https '1'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
# option cert '/etc/uhttpd.crt'
# option key '/etc/uhttpd.key'
option cert '/etc/mycert1.crt'
option key '/etc/mycert1.key'
option cgi_prefix '/cgi-bin'
list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
option ubus_prefix '/ubus'
config cert 'defaults'
option days '730'
option key_type 'ec'
option bits '2048'
option ec_curve 'P-256'
option country 'ZZ'
option state 'Somewhere'
option location 'Unknown'
option commonname 'OpenWrt'
brada4
August 26, 2024, 2:22pm
4
If not obvious remove uhttpd.key/.crt and it will be regenerated with valid paramet€rs. I leave to your excersise to read cabforum issuer requirements and find why your certificate is rejected even saved.
mk24
August 26, 2024, 2:48pm
5
I've never had to do anything in Firefox other than click "Accept the risk and continue" once. The browser should associate that self-signed certificate with the IP address. This is actually safer than installing a trusted root certificate on your endpoint. If you do that anyone who has the private key to that certificate can create and sign certificates to impersonate any website to you.
3 Likes
The same as during ssl turning on in OpenWRT web interface. Cert will be generated according last part of /etc/config/uhttpd file.
uhttpd.key/.crt were generated automatically.
If this process (cert generating and configuring) was quite clear for me, I would never come here.
What about that link? Does that info correct?
brada4
August 26, 2024, 4:02pm
7
Cabforum requires much shoryer expiry than you specified, apple clients reject certs that are too valid.