[solved] Err_cert_authority_invalid

Installing and Using OpenWrt
46

Take this up with the OpenWrt devs who maintain the OpenWrt Git repo, as they've been made aware repeatedly that

  1. A self-signed cert for LuCI opens the user to a MITM attack, and while it's a less probable scenario on a LAN, the risk is still there

  2. It's insanely easy to fix by adding the proper commands to /etc/init.d/uhttpd so that uhttpd auto generates a self-signed CA, then uses that CA to sign it's cert (a whopping total of 3 command strings)
    • My philosphy: take the time, don't half-ass it, and do it right the first time around

This would require OpenWrt to be configured with a local domain of com, thereby breaking internet access for downstream devices.

2 Likes
47

do you just want to continue this discussion

i nvr asked to buy a certificate ( read about lets encrypt)

i never asked to buy different cerificate there are wildcard certificates / or the purpose that i want the certificate is to authenticate the router you can use same certificate too dude

dude i cant expalin you sorry ... i quit and cant reply you for this thread

48

I also mentioned needing to acquire a domain name for that cert.

You also have not proved the instructions you said you would provide. I know about Let's Encrypt!

This is invalid to issue on the Public Internet (hence needing a domain name)! WTF!!!

49

what is invalid ?

50

then why are you always saying about purchase

51

Once again...I think you need to study...

The issuance of a wildcard cert to anyone on the Public Internet - is invalid.

52

Let's Encrypt, or any commercial CA / ICA, CANNOT sign a certificate for RFC1918 (LAN) IP addresses... it is not possible, period.

  • I'd be surprised if this was also not disallowed in the RFC.
2 Likes
53

dude no one can issue for lan , i know

leave yaar , if you ever need one i ll show you for sure dude

lets stop this dicussion

54

@JW0914 i ll tell you @lleachii might not trust even after demo

55

You really don't get it...

  • So not only do you trust PKI for LAN
  • You want them ALL to issue * certs to ANYONE ON PLANET EARTH!!!

BEWARE OF @arjuniet and this theory for devices you own!

56

thx @lleachii was expected

57

Yes, it should have been excepted:

58

when anyone buy a router
Install firmware
Get internet
install ssl libraries

forget all other things

register a domain and get wildcard certificate for that for free

after that ask me how to use this certificate on private lan , you can even google

if not i ll install for you . if unsuccessful i will quit this group if installed successfully @lleachii ( anything you want to ssay ? )

59

OK...I understand...let me ask you:

When you say Wildcard ...do you mean ROOT DNS DOMAIN?

Because that's what I understand, and you are not owner of ROOT DOMAIN, so you cannot revive such a cert.

60

if you have a domain openwrt.org for example , if not a ETLD like gov.fr or other CA can issue *.openwrt.org certificate for you

you can use it on any subdomains anything.openwrt.org

61

CORRECT!

That is not the wildcard the OpenWrt device refers to. You can install a cert for a domain you purchased (or used Let's Encrypt for).

Please explain any vulnerability now. I am truly interested.

62

i am really not getting now what you want to know. I cant explain you dude , if you have any specific doubt tell me frankly i ll try to help

you got to know now what i was trying to explain ?

63

The Router generates a Cert for this (you cannot legally buy one):

64

dude why you reached root name servers ?? i never talked about it

i am talking about ROOT CA

65

Please re-read.