[solved] Err_cert_authority_invalid

Installing and Using OpenWrt
38

You're arguing a point that has zero to do with this thread. This thread is about a LAN SIDE uhttpd cert for LuCI.

You're treating that discussion as if it's regarding a WAN side cert issued by a public or commercial CA/ICA for a WAN facing website...

1 Like
39

dude you are taking me wrong . yes a CA wont give a certificate for that i know this

but i am really not getting guys who are no doubt with too much knowledge couldnt find a way to secure you lan sites in such ?

ok i will demonstrate live with you , we ll take a cerificate for your public domain and use that domain name on your lan
ok ?

40

can i demonstrate ? give me anyadmin or something i ll show you

41

LOL

TO WHAT SYSTEM?

42

dude if you want to see . its your call i am here only

43

Please, follow through and just answer:

(You do know it's moot, because you trust the CA, right? :smile: )

44

no one with root CA access can access anyones cerver
i dont think i should continue this discussion after seeing your reply ..hahah

1 Like
45

Then why do you suggest the purchase of a CA cert for every router on planet Earth?

Or acquiring a domain name?

46

Take this up with the OpenWrt devs who maintain the OpenWrt Git repo, as they've been made aware repeatedly that

  1. A self-signed cert for LuCI opens the user to a MITM attack, and while it's a less probable scenario on a LAN, the risk is still there

  2. It's insanely easy to fix by adding the proper commands to /etc/init.d/uhttpd so that uhttpd auto generates a self-signed CA, then uses that CA to sign it's cert (a whopping total of 3 command strings)
    • My philosphy: take the time, don't half-ass it, and do it right the first time around

This would require OpenWrt to be configured with a local domain of com, thereby breaking internet access for downstream devices.

2 Likes
47

do you just want to continue this discussion

i nvr asked to buy a certificate ( read about lets encrypt)

i never asked to buy different cerificate there are wildcard certificates / or the purpose that i want the certificate is to authenticate the router you can use same certificate too dude

dude i cant expalin you sorry ... i quit and cant reply you for this thread

48

I also mentioned needing to acquire a domain name for that cert.

You also have not proved the instructions you said you would provide. I know about Let's Encrypt!

This is invalid to issue on the Public Internet (hence needing a domain name)! WTF!!!

49

what is invalid ?

50

then why are you always saying about purchase

51

Once again...I think you need to study...

The issuance of a wildcard cert to anyone on the Public Internet - is invalid.

52

Let's Encrypt, or any commercial CA / ICA, CANNOT sign a certificate for RFC1918 (LAN) IP addresses... it is not possible, period.

  • I'd be surprised if this was also not disallowed in the RFC.
2 Likes
53

dude no one can issue for lan , i know

leave yaar , if you ever need one i ll show you for sure dude

lets stop this dicussion

54

@JW0914 i ll tell you @lleachii might not trust even after demo

55

You really don't get it...

  • So not only do you trust PKI for LAN
  • You want them ALL to issue * certs to ANYONE ON PLANET EARTH!!!

BEWARE OF @arjuniet and this theory for devices you own!

56

thx @lleachii was expected

57

Yes, it should have been excepted: