[Solved] Invalid cert warning 21.02.0 release

anon89577378 · September 6, 2021, 12:51am

Upgraded an Archer C7 v2 from 19.07.08 to 21.02.0.

I'm now getting an invalid cert warning for a self-signed cert when attempting to log in with LUCI.

Never saw this in previous versions.

Both ca-bundle and ca-certificates are installed.

Any ideas?

slh · September 6, 2021, 1:16am

You are trying to reach the webinterface of your router from your client (-computer, which means ca-bundle or ca-certificates installed on the router don't apply - those are only needed for the router to authenticate remote https resources). Your router's SSL certificate presented to your clients are generated at firstboot and self-signed, meaning no CA has signed them for you (how could they, without according configuration, a public domain, etc.) - in other words, you need to accept it (once) on your client(s).

anon89577378 · September 6, 2021, 1:20am

Thanks for the clarification on ca-bundle and ca-certificates.

I've accepted it multiple times...it doesn't stick after a browser re-start.

As mentioned, I never saw this issue in previous versions.

ergamus · September 6, 2021, 2:18pm

Previous versions never defaulted to using HTTPS, it was a manual choice.

Is the cert exception being saved in your browser? Your browser might be setting a temporary exception instead of adding a permanent one. Look up instructions on how to add/verify self-signed certificates in your browser.

Firefox for example will remove any saved certificate exemptions if you clear your history and have site preferences checked. Same if you auto-clear your history on closing the browser, or use Private mode.

Per the release notes:

In addition, LuCI is now available over HTTPS in addition to HTTP. There is no automatic redirection to HTTPS on a fresh OpenWrt 21.02 installation; however, redirection will be enabled after upgrading from OpenWrt 19.07 to OpenWrt 21.02.

It is always possible to activate or deactivate the redirection to HTTPS like this:

uci set uhttpd.main.redirect_https=1 # 1 to enable redirect, 0 to disable redirect
uci commit uhttpd
service uhttpd reload

4k3or3et · September 7, 2021, 7:20am

May I ask how do you accept the certificate?

anon89577378 · September 7, 2021, 8:12pm

Found the explanation and solution from @hynman -

system · September 17, 2021, 8:12pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.