Uhttpd not picking new cert/key

hololite · July 17, 2020, 11:36pm

I replaced the cert/key of uhttpd before and it always worked.
This time I am doing it to an old router that came with openwrt and not upgradeable.
The old cert probably has 1K or 2K keysize.

I did the replace the crt and key files as pointed by uci show uhttpd. I am using 4KB key size.
But the uhttp won't start. I tried to do uci set uhttpd.px5g.bits='4096' and commit it, but did not help.

I am getting this error:

Fri Jul 17 16:26:48 2020 daemon.err uhttpd[6027]: Failed to load certificate/key files

Any ideas to get more specific errors?

Here is my config:

uhttpd.main=uhttpd
uhttpd.main.listen_http='0.0.0.0:80' '[::]:80'
uhttpd.main.listen_https='0.0.0.0:443' '[::]:443'
uhttpd.main.redirect_https='1'
uhttpd.main.home='/www'
uhttpd.main.rfc1918_filter='1'
uhttpd.main.max_requests='3'
uhttpd.main.max_connections='100'
uhttpd.main.cert='/etc/uhttpd/uhttpd.crt'
uhttpd.main.key='/etc/uhttpd/uhttpd.key'
uhttpd.main.cgi_prefix='/cgi-bin'
uhttpd.main.script_timeout='60'
uhttpd.main.network_timeout='30'
uhttpd.main.http_keepalive='20'
uhttpd.main.tcp_keepalive='1'
uhttpd.main.ubus_prefix='/ubus'
uhttpd.px5g=cert
uhttpd.px5g.days='730'
uhttpd.px5g.country='ZZ'
uhttpd.px5g.state='Somewhere'
uhttpd.px5g.location='Uknown'
uhttpd.px5g.commonname='OpenWrt'
uhttpd.px5g.bits='1024'

fantom-x · July 17, 2020, 11:47pm

If the paths are correct, could there be permission issues? I wonder if the key file needs to be user readable only.

hololite · July 17, 2020, 11:51pm

The path is certainly correct.
When I reverted the files, it worked again.

Really? I doubt it but I can give it a try. Which chmod should I use? 600 (r--------) ?

fantom-x · July 18, 2020, 1:22am

It was a guess; I have those files with 600 (-rw-------). It must not like the contents then.

hololite · July 18, 2020, 1:54am

Just tried the permissions settings, it did not work.
Yup something with the contents of the crt/key files that it did not like. Too bad the error message is too cryptic.

hololite · July 18, 2020, 2:14am

After tinkering a bit more, I found the issue.
I was using ECDSA key. It did not like it probably because it was an older version of openwrt.
(ecdsa key certainly works on v19 at least).

So I generated rsa key instead, and it worked.

system · July 28, 2020, 2:14am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.