I'm using the instructions at [[OpenWrt Wiki] How to get rid of LuCI HTTPS certificate warnings] located at (https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings ).
It's failing at the step to import the certs to the browser. I'm using Chrome as instructed, when I run the powershell script:
$mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText Import-pfxCertificate mycert.pfx -Password $mypwd -CertStoreLocation "Cert:\LocalMachine\Root"
I get this error:
ConvertTo-SecureString : A positional parameter cannot be found that accepts argument 'Import-pfxCertificate'.
At line:1 char:10
+ $mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText Import-pfxCertificate
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [ConvertTo-SecureString], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand
I'm running the script from the directory the mycert.pfx file is in. I don't know scripting in powershell. Can anyone help with this?
If $mypwd
contains spaces or special characters, -Password $mypwd
is going to break; use colons around the variable: "-Password $mypwd"
.
2 Likes
I'm not sure what is in $mypwd. Shouldn't that be the cert/key from mycert.crt or mycert.key?
I did try the command with the "" around -Password $mypwd. Didn't change the error message.
You need to run those commands as two separate lines
$mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText
Import-pfxCertificate mycert.pfx -Password $mypwd -CertStoreLocation "Cert:\LocalMachine\Root"
mk24
January 12, 2023, 6:33pm
5
The pkcs12 password is some arbitrary phrase to protect the pkcs file from unauthorized use. Without it, the certificate's private key cannot be extracted from the file. But the whole premise of those instructions is wrong. A client (Windows, Chrome, etc) does not need the private key to install a certificate as trusted. Only the web server (luci) should ever hold the private key. At the start of an https connection, the client will challenge the server to prove that it has the private key, which can be done without the client actually having the key.
Import the certificate (without key) into Windows as a pem file.
1 Like
The separate commands ran, But getting
" Hmmm… can't reach this page 10.213.1.254 refused to connect." on the browser.
I'm using Edge. Tried Chrome, same result.
is this the address of your OpenWrt router? Can you ssh to it?
1 Like
Just save the cert and use the web GUI to import.
(Personally, if I care, I just look at the cert fingerprint each time, I don't bother adding. A long thread/discussion from the past: [solved] Err_cert_authority_invalid )
yes I can ssh to the router.
what do you see when you run this:
netstat -plnt
On the router:
root@router-ea8500:~# netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 6433/wsdd2
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3295/uhttpd
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 26301/dnsmasq
tcp 0 0 10.213.1.254:53 0.0.0.0:* LISTEN 26301/dnsmasq
tcp 0 0 192.168.1.10:53 0.0.0.0:* LISTEN 26301/dnsmasq
tcp 0 0 192.168.1.1:8118 0.0.0.0:* LISTEN 6613/privoxy
tcp 0 0 0.0.0.0:3702 0.0.0.0:* LISTEN 6433/wsdd2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1274/dropbear
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 3295/uhttpd
tcp 0 0 :::5355 :::* LISTEN 6433/wsdd2
tcp 0 0 :::80 :::* LISTEN 3295/uhttpd
tcp 0 0 ::1:53 :::* LISTEN 26301/dnsmasq
tcp 0 0 fe80::fcff:ffff:feff:8476:53 :::* LISTEN 26301/dnsmasq
tcp 0 0 2600:1700:65a8:20dd::1:53 :::* LISTEN 26301/dnsmasq
tcp 0 0 fdd5:794:7805::1:53 :::* LISTEN 26301/dnsmasq
tcp 0 0 fe80::c256:27ff:fe0a:4dce:53 :::* LISTEN 26301/dnsmasq
tcp 0 0 2600:1700:65a8:20d0:c256:27ff:fe0a:4dcf:53 :::* LISTEN 26301/dnsmasq
tcp 0 0 2600:1700:65a8:20d0::47:53 :::* LISTEN 26301/dnsmasq
tcp 0 0 fe80::c256:27ff:fe0a:4dcf:53 :::* LISTEN 26301/dnsmasq
tcp 0 0 fe80::c256:27ff:fe0a:4dd0:53 :::* LISTEN 26301/dnsmasq
tcp 0 0 fe80::c256:27ff:fe0a:4dd1:53 :::* LISTEN 26301/dnsmasq
tcp 0 0 fe80::9039:5dff:fe22:10b2:53 :::* LISTEN 26301/dnsmasq
tcp 0 0 :::22 :::* LISTEN 1274/dropbear
tcp 0 0 :::3702 :::* LISTEN 6433/wsdd2
tcp 0 0 :::443 :::* LISTEN 3295/uhttpd
tcp 0 0 :::445 :::* LISTEN -
On the PC:
C:\Users\weswe>netstat -pnt
Active Connections
Proto Local Address Foreign Address State Offload State
C:\Users\weswe>
So it looks like uhttpd is running properly.
Let's see the /etc/config/uhttpd
file as well as the output of ubus call system board