[Solved] Uhttpd self-signed SSL/TLS certificate

Lebedev · April 17, 2023, 6:27pm

/etc/config/uhttpd contains the a cert section which contains parameters for certificate creation:

config cert 'defaults'
	option days '730'
	option key_type 'ec'
	option bits '2048'
	option ec_curve 'P-256'
	option country 'ZZ'
	option state 'Somewhere'
	option location 'Unknown'
	option commonname 'OpenWrt'

Accordingly to this documentation, it will be needed only once, at the next restart. So i assume, at every start uhttpd checks if the period of validity is expired, and if so, a new self-signed certificate will be generated, is that correct?

I want to use my own certificate, which i will push automatically via scp (and restart uhttpd afterwards). But what worries me is the fact that OpenWRT creates it's own certificate. Is there a way to disable automatic creation of self-signed certificates?

mk24 · April 17, 2023, 6:29pm

When providing your own certificate, you can remove the cert section entirely. Make sure the cert and key file paths in the main section point to your certificate. I think that the key file must be readable only by root-- even if uhttpd does not enforce that it is a good practice.

Lebedev · April 17, 2023, 6:34pm

Removing the cert section in /etc/config/uhttpd supresses the creation of a new self-signed certificate?
Are you sure?

Lebedev · April 17, 2023, 8:19pm

I found out that px5g-wolfssl or px5g-standalone is responsible for the creation of the self-signed certificate.

Is it safe to remove this package, or will it break something?

Also:
px5g seems to be part of the standard installation. In case of removal: will it be installed again, when an OpenWrt update is installed?

Lebedev · April 17, 2023, 8:35pm

root@sw:~# opkg whatdepends -A px5g-wolfssl
Root set:
  px5g-wolfssl
What depends on root set
	apfree-wifidog 4.08.1771-6	depends on px5g
	luci-ssl git-20.244.36115-e10f954	depends on px5g-wolfssl

luci-ssl depends on px5g, so it seems like it is not possible to remove px5g without breaking the general SSL/TLS capability.

According to this documentation, px5g is triggered by the init script. How can this be disabled?

jow · April 17, 2023, 8:37pm

luci-ssl is an empty meta package, can be removed without loss of functionality.

Cert generation is triggered if no cert file exists, in all other cases it is skipped, even if preexisting certs are expired or invalid.

Missing cert configuration section inhibits cert generation

Lebedev · April 17, 2023, 8:48pm

hi jow,

thanks for your reply. That is exactly what i needed to know!

I am not able to update the official documentation, so i suggest someone adds a little note with that piece of information.

Have a nice day

lleachii · April 19, 2023, 6:57am

system · April 29, 2023, 6:57am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.