SSL connection fails with Let's encrypt

x86cokr · February 13, 2023, 4:46pm

Hi,

I just installed acme and downloaded certificates from Let's encrypt on my openwrt router, but it fails with ERR_SSL_PROTOCOL_ERROR when I try to connect the luci from chrome outside.

I installed certificates with the following command

DuckDNS_Token="MyToken" /usr/lib/acme/acme.sh --issue -d MyDomain -k ec-256 --dns dns_duckdns
[Mon Feb 13 14:35:36 UTC 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Mon Feb 13 14:35:36 UTC 2023] No EAB credentials found for ZeroSSL, let's get one
[Mon Feb 13 14:35:39 UTC 2023] Registering account: https://acme.zerossl.com/v2/DV90
[Mon Feb 13 14:36:06 UTC 2023] Registered
[Mon Feb 13 14:36:06 UTC 2023] ACCOUNT_THUMBPRINT='HvioALIo96dkelFRGF00DezKkzIYgjHt1bn6Xhewu8w'
[Mon Feb 13 14:36:06 UTC 2023] Creating domain key
[Mon Feb 13 14:36:06 UTC 2023] The domain key is here: /root/.acme.sh/MyDomain_ecc/MyDomain.key
[Mon Feb 13 14:36:06 UTC 2023] Single domain='MyDomain'
[Mon Feb 13 14:36:06 UTC 2023] Getting domain auth token for each domain
[Mon Feb 13 14:36:43 UTC 2023] Getting webroot for domain='MyDomain'
[Mon Feb 13 14:36:43 UTC 2023] Adding txt value: W6C0-0mvaainHKaI99CzIbWnuoHvwJe6YZoVWwkp3uI for domain:  _acme-challenge.MyDomain
[Mon Feb 13 14:36:43 UTC 2023] Trying to add TXT record
[Mon Feb 13 14:36:44 UTC 2023] TXT record has been successfully added to your DuckDNS domain.
[Mon Feb 13 14:36:44 UTC 2023] Note that all subdomains under this domain uses the same TXT record.
[Mon Feb 13 14:36:44 UTC 2023] The txt record is added: Success.
[Mon Feb 13 14:36:44 UTC 2023] Let's check each DNS record now. Sleep 20 seconds first.
[Mon Feb 13 14:37:06 UTC 2023] You can use '--dnssleep' to disable public dns checks.
[Mon Feb 13 14:37:06 UTC 2023] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Mon Feb 13 14:37:06 UTC 2023] Checking MyDomain for _acme-challenge.<MyDomain>

And I can see the certificate
/root/.acme.sh/MyDomain_ecc/MyDomain.cer
/root/.acme.sh/MyDomain_ecc/MyDomain.key

port 443 can't be opened for now, I set up to forward MyPort to 443

/etc/config/uhttpd

config uhttpd 'main'
	list listen_http '0.0.0.0:80'
	list listen_http '[::]:80'
	list listen_https '0.0.0.0:443'
	list listen_https '[::]:443'
	list listen_https '0.0.0.0:MyPort'
	list listen_https '[::]:MyPort'
	option home '/www'
	option rfc1918_filter '0'
	option max_requests '3'
	option max_connections '100'
	option cgi_prefix '/cgi-bin'
	list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
	option script_timeout '60'
	option network_timeout '30'
	option http_keepalive '20'
	option tcp_keepalive '1'
	option ubus_prefix '/ubus'
	option cert '/root/.acme.sh/MyDomain_ecc/MyDomain.cer'
	option key '/root/.acme.sh/MyDomain_ecc/MyDomain.key'
	option redirect_https 'on'

/etc/config/firewall

config redirect
	option name 'Lucy-From-Wan'
	option src 'wan'
	option src_dport MyPort
	option dest 'lan'
	option dest_ip '192.168.1.1'
	option dest_port '443'
	option target 'DNAT'
	option proto 'tcp'

and then
/etc/init.d/uhttpd restart
/etc/init.d/firewall restart

Please help me to solve this issue
Thanks in advance

mk24 · February 13, 2023, 4:58pm

When running a service on the router, open the port don't forward it.

config rule
   option name 'Luci-From-WAN'
   option src 'wan'
   option proto 'tcp'
   option dest_port MyPort
   option target 'ACCEPT'

Doing the above is not recommended. Using https and a certificate is to protect the user from connecting to a fake site or having communications intercepted by a man in the middle. It does nothing to protect the server side from hacking attempts, and LuCI is not intended to be hardened enough to be attached directly to the Internet.

x86cokr · February 13, 2023, 5:07pm

Thanks for your reply,
I just changed the firewall as you recommend, however connection fails with the same error.
Do you have any other idea for this?

trendy · February 13, 2023, 6:19pm

You should use the fullcert.pem as certificate, not the cert.

x86cokr · February 13, 2023, 7:10pm

Thanks for your reply
Can you please explain more in detail?

trendy · February 13, 2023, 7:32pm

Did it work?

tankwrt · February 13, 2023, 7:37pm

this should point to fullcert.pem instead of Mydomain.cer

fullcert.pem is provided by letsencrypt and contains your server cert plus the lets encrypt CA cert

x86cokr · February 13, 2023, 7:44pm

Thanks for your reply

There is no .pem file in the directory, there are only MyDomain.cer, MyDomain.conf, MyDomain.csr, MyDomain.csr.conf, MyDomain.key in the /root/.acme.sh/MyDomain_ecc/

x86cokr · February 14, 2023, 11:29am

After I updated uhttpd with fullcert.pem instead of MyDomain.cer
I got the following error on chrome

NET::ERR_CERT_AUTHORITY_INVALID
Subject: OpenWrt

Issuer: OpenWrt

Expires on: 2025. 2. 13.

Current date: 2023. 2. 14.

PEM encoded chain:
-----BEGIN CERTIFICATE-----
<PEM encoded chain>
-----END CERTIFICATE-----

Do you have any idea for this error?

trendy · February 14, 2023, 11:31am

Are you sure you got that from letsencrypt?

x86cokr · February 14, 2023, 3:25pm

Whenever reboot or /etc/init.d/uhttpd restart after installed the certificate from Let's Encrypt, it overwrites /root/.acme.sh/MyDomain_ecc/MyDomain.key
So, I backed up and restored MyDomain.key, but it generates the same error

I don't think that the following in /etc/config/uhttpd is proper

option cert '/root/.acme.sh/MyDomain_ecc/fullcert.pem
option key '/root/.acme.sh/MyDomain_ecc/MyDomain.key

Do you have recommendation for this?

trendy · February 14, 2023, 7:04pm

This is not expected behaviour.

What makes you think that?

Not really, the thing is simple. Get the correct key and certificate on the router, configure them in uhttpd, restart uhttpd. You are somehow not able to get the proper certificate, so better follow the instructions.

x86cokr · February 15, 2023, 11:58am

Actually, when I install the certificate files from Let's encrypt, there is no fullcert.pem.

And I found that
if there is no file in the directory where it points in /etc/config/uhttpd,
it automatically copies corresponding files from /etc/ like the following
when '/etc/init.d/uhttpd restart' or reboot

option cert '/root/.acme.sh/MyDomain_ecc/fullcert.pem'

copies /etc/uhttpd.crt to /root/.acme.sh/MyDomain_ecc/fullcert.pem, if there isn't fullcert.pem

option key '/root/.acme.sh/MyDomain_ecc/MyDomain.key'

copies /etc/uhttpd.key to /root/.acme.sh/MyDomain_ecc/MyDomain.key, if there isn't MyDomain.key

Actually, /etc/uhttpd.crt and /etc/uhttpd.key were generated to the default path long ago by uhttpd.
So when I loaded the webpage, the uhttpd on openwrt transfers the fullcert.pem to the browser, which showed that issuer of cert is openwrt.

So I restored

option cert '/root/.acme.sh/MyDomain_ecc/fullcert.pem'

to

option cert '/root/.acme.sh/MyDomain_ecc/MyDomain.cert'

Then, the issue disappers

As result, the current setting is the same as the beginning,
however 'ERR_SSL_PROTOCOL_ERROR' also disappers probably because I disabled cashe and cookies on chrome while I was trobleshooting.

system · February 25, 2023, 11:58am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.