Trying to Create Certs for LUCI Login

Installing and Using OpenWrt
1

I'm using the instructions at [[OpenWrt Wiki] How to get rid of LuCI HTTPS certificate warnings] located at (https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings).

It's failing at the step to import the certs to the browser. I'm using Chrome as instructed, when I run the powershell script:

$mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText Import-pfxCertificate mycert.pfx -Password $mypwd -CertStoreLocation "Cert:\LocalMachine\Root"

I get this error:

ConvertTo-SecureString : A positional parameter cannot be found that accepts argument 'Import-pfxCertificate'.
At line:1 char:10
+ $mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText Import-pfxCertificate
+          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [ConvertTo-SecureString], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand

I'm running the script from the directory the mycert.pfx file is in. I don't know scripting in powershell. Can anyone help with this?

2

If $mypwd contains spaces or special characters, -Password $mypwd is going to break; use colons around the variable: "-Password $mypwd".

2 Likes
3

I'm not sure what is in $mypwd. Shouldn't that be the cert/key from mycert.crt or mycert.key?
I did try the command with the "" around -Password $mypwd. Didn't change the error message.

4

You need to run those commands as two separate lines

$mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText
Import-pfxCertificate mycert.pfx -Password $mypwd -CertStoreLocation "Cert:\LocalMachine\Root"
5

The pkcs12 password is some arbitrary phrase to protect the pkcs file from unauthorized use. Without it, the certificate's private key cannot be extracted from the file. But the whole premise of those instructions is wrong. A client (Windows, Chrome, etc) does not need the private key to install a certificate as trusted. Only the web server (luci) should ever hold the private key. At the start of an https connection, the client will challenge the server to prove that it has the private key, which can be done without the client actually having the key.

Import the certificate (without key) into Windows as a pem file.

1 Like
6

The separate commands ran, But getting
" Hmmm… can't reach this page 10.213.1.254 refused to connect." on the browser.
I'm using Edge. Tried Chrome, same result.

7

is this the address of your OpenWrt router? Can you ssh to it?

1 Like
8

Just save the cert and use the web GUI to import.

screen130
screen130801×293 15.3 KB

(Personally, if I care, I just look at the cert fingerprint each time, I don't bother adding. A long thread/discussion from the past: [solved] Err_cert_authority_invalid)

9

yes I can ssh to the router.

10

what do you see when you run this:

netstat -plnt
11

On the router:

root@router-ea8500:~# netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      6433/wsdd2
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      3295/uhttpd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      26301/dnsmasq
tcp        0      0 10.213.1.254:53         0.0.0.0:*               LISTEN      26301/dnsmasq
tcp        0      0 192.168.1.10:53         0.0.0.0:*               LISTEN      26301/dnsmasq
tcp        0      0 192.168.1.1:8118        0.0.0.0:*               LISTEN      6613/privoxy
tcp        0      0 0.0.0.0:3702            0.0.0.0:*               LISTEN      6433/wsdd2
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1274/dropbear
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      3295/uhttpd
tcp        0      0 :::5355                 :::*                    LISTEN      6433/wsdd2
tcp        0      0 :::80                   :::*                    LISTEN      3295/uhttpd
tcp        0      0 ::1:53                  :::*                    LISTEN      26301/dnsmasq
tcp        0      0 fe80::fcff:ffff:feff:8476:53 :::*                    LISTEN      26301/dnsmasq
tcp        0      0 2600:1700:65a8:20dd::1:53 :::*                    LISTEN      26301/dnsmasq
tcp        0      0 fdd5:794:7805::1:53     :::*                    LISTEN      26301/dnsmasq
tcp        0      0 fe80::c256:27ff:fe0a:4dce:53 :::*                    LISTEN      26301/dnsmasq
tcp        0      0 2600:1700:65a8:20d0:c256:27ff:fe0a:4dcf:53 :::*                    LISTEN      26301/dnsmasq
tcp        0      0 2600:1700:65a8:20d0::47:53 :::*                    LISTEN      26301/dnsmasq
tcp        0      0 fe80::c256:27ff:fe0a:4dcf:53 :::*                    LISTEN      26301/dnsmasq
tcp        0      0 fe80::c256:27ff:fe0a:4dd0:53 :::*                    LISTEN      26301/dnsmasq
tcp        0      0 fe80::c256:27ff:fe0a:4dd1:53 :::*                    LISTEN      26301/dnsmasq
tcp        0      0 fe80::9039:5dff:fe22:10b2:53 :::*                    LISTEN      26301/dnsmasq
tcp        0      0 :::22                   :::*                    LISTEN      1274/dropbear
tcp        0      0 :::3702                 :::*                    LISTEN      6433/wsdd2
tcp        0      0 :::443                  :::*                    LISTEN      3295/uhttpd
tcp        0      0 :::445                  :::*                    LISTEN      -

On the PC:

C:\Users\weswe>netstat -pnt
Active Connections
  Proto  Local Address          Foreign Address        State           Offload State

C:\Users\weswe>
12

So it looks like uhttpd is running properly.

Let's see the /etc/config/uhttpd file as well as the output of ubus call system board