[Solved] Luci-app-acme, Let's Encrypt, and Connection reset by Peer

I'm trying to move away from my paid certificate to a Let's Encrypt one. I was afraid it might be a little fiddly to do on my home router, but we do this now on all the webservers at work, so i thought I'd give it a go.

I was pleasantly surprised to see luci-app-acme was available! I installed it, saw that the config wasn't too complicated, and so I thought this should be up and running in pretty short order.

But, er, no. I keep getting

witheld server name:Verify error:Fetching http://witheld server name/.well-known/acme-challenge/fDP0KMTV_LNXb1Jha-iFPDN60zXowcXQjFIiBIck_r8: Connection reset by peer

I've tried opening ports in the firewall, but it really looks to me like the scripts opens and closes ports as needed. If I open port 80, i get 'connection refused' instead of 'connection reset by peer'. I've tried with ipv6 in DNS, but all that gives me is 'connection refused'.

In the process I've also discovered that luci-ssl always redirects to https, regardless of the state of 'redirect_https' in the config file. So I tried turning off the https listening, and that finally stopped the https redirecting, but I still get the same error.

Please help.

LuCI should only be accessed via HTTPS, else your root password is passed via plaintext... an extremely bad idea to say the least.

Unless your webservers are public, you'd be far better off creating a self-signed CA and using that to sign an ICA, of which would sign certs. Here's a prebuilt openssl.cnf from my GitHub

Ok, I fixed it. LEDE ships with acme.sh v2.6.8. The newest on github is v2.7.6. I backed up the opkg installed version, and curl'd the newest from github. It also requires socat, but that's available in the LEDE repo. Works just fine now.

mv /usr/lib/acme/acme.sh /usr/lib/acme/acme.sh.bak
curl https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh > /usr/lib/acme/acme.sh
chmod a+x /usr/lib/acme/acme.sh

opkg update
opkg install socat
/etc/init.d/acme restart

Now I have a Let's Encrypt cert and a green padlock in the address bar.