What is yours recommeded way to add certificate?

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello everyone,

Today, I attempted to add a certificate to my router in order to eliminate the annoying warning indicating that the site is unsafe due to a missing certificate. Although it didn't bother me much, I decided to enhance the security since I have exposed ports externally.

Firstly, I consulted this resource as a starting point. Unfortunately, it didn't provide much information. Then, I experimented with the acme script, but I didn't achieve any results. Next, I explored uHTTPd, but it didn't seem to meet my requirements.

What turned out to be helpful for me is the ability to add certificates for running Docker containers using Nginx Proxy Manager. Here are some examples:

In essence, the idea is simple: install Nginx Proxy Manager, add a certificate with Let's Encrypt, add the running Docker container as a host, connect it to the same Docker network, and you're done. It should only take around 5 minutes to set up. However, in my case, it didn't work as expected. The container always lacks the correct certificate authority (CA). While my DDNS points to my public IP, accessing the correct service requires adding a specific port. Nevertheless, it functions flawlessly within my local network and even outside the internet.

I'm wondering if anyone has experience with this approach and can offer any insights or solutions.

2

Even though it failed for you, Acme should work for this, linked to your DDNS.

3

How do you know it's working? After using ACME global config (luci tool) in folder /etc/ssl/acme immidiatelly I have noticed that my domain appeard with extra information ".failed-1687582846" .

What I just add was:
domain : port

image
image1556×814 52.9 KB

image
image1006×300 23.1 KB

Days until renewal=90. And literally that's it.

To be honest - I really don't care in which way it going to be configured while it will going to work. Nginx Proxy Manager just looks more convinient .

4

sorry, never used it using the webUI, just ran it via cli.

1 Like
5

ok, I'm comfortable with CLI also if you are able to help.. ?

6

not today unfortunately, don't have access to any openwrt box at my current location :frowning:

7

understand. Could you please send me configuration/example how it should be done properly once you get access?

8

if you run it in cli, and post the output, I might be able to help you, from memory.

9

ok, then what do you need me to do?

So far with acme what I have done was:

  1. registering a new account by
/etc/ssl/acme/acme.sh --register-account -m my@email
  1. After that
/etc/ssl/acme/acme.sh --issue -d my_ddns_domain--webroot /mnt/sdb1/BookStack/BackupData/www/ --home /etc/ssl/acme

On point 2 I get

image
image923×142 92.3 KB

even I already created it.

10

even if old, try post 7 in https://forum.archive.openwrt.org/viewtopic.php?id=65090 1st, it still looks pretty accurate.

the main thing is to move the default webUI to another port than 80/443, and make sure it's accessible from internet, for letsencrypt to be able to pick up the file needed to generate the cert.

11

ok, I'm on it..

Comparing date from link my are as bellow:

cat /etc/config/uhttpd

config uhttpd 'main'
	list listen_http '0.0.0.0:80'
	list listen_http '[::]:80'
	list listen_https '0.0.0.0:443'
	list listen_https '[::]:443'
	option home '/www'
	option rfc1918_filter '1'
	option max_requests '3'
	option max_connections '100'
	option cert '/etc/uhttpd.crt'
	option key '/etc/uhttpd.key'
	option cgi_prefix '/cgi-bin'
	list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
	option network_timeout '30'
	option http_keepalive '20'
	option tcp_keepalive '1'
	option ubus_prefix '/ubus'
	option script_timeout '180'
	option redirect_https '1'

config cert 'defaults'
	option days '730'
	option key_type 'ec'
	option bits '2048'
	option ec_curve 'P-256'
	option state 'Somewhere'
	option location 'Unknown'
	option commonname 'OpenWrt'

list listen_http is commeted out. But as I believe I have to at first issue :

/etc/ssl/acme/acme.sh --issue -d

as I understand. Without thta there is no point futher investigation. Is that correct?

12

post 80 is HTTP, 443 HTTPS, I would assume it tries port 80 1st.

you need to install the acme package, I guess, could also be why it fails for you via webUI ?

I also found this: https://openwrt.org/docs/guide-user/services/tls/acmesh :wink:

13

luci-app-acme, acme-dnsapi is installed as well as acme-acmesh and acme-common.
Acme script I got from:

mkdir /etc/ssl/acme
wget -O /etc/ssl/acme/acme.sh https://github.com/acmesh-official/acme.sh/raw/master/acme.sh
chmod +x /etc/ssl/acme/acme.sh

while I don't see IPK for it separatelly.

Going to check link which you provided.

Already I have got:

uci show uhttpd.main.redirect_https
uhttpd.main.redirect_https='1'

You are right. Today wwhen I was trying I received error, now after update it installed succesfully:

opkg install acme
Package acme (3.0.6-3) installed in root is up to date.

In that link is one part which I don't understand:

then edit /etc/config/acme

with what?

14

it's there, at least on the 22.03.5 I've got access to.

image
image1932×160 11.6 KB

Yes, got openwrt, but not going to mess with this one :wink:

15

winscp, or vi using cli.

please don't update old posts with new info, it's confusing.

16

sure, you just were faster :wink:

I mean content. For editing nano is just fine for me.

Ok , edited. acme restarted. Still with port 80.

17

While I did dabble into acme a few years ago, I ended up stopping chasing after that quite quickly - just accept the self-signed cert once and forget about it (at least in firefox). At least for routers, acme is imho not the brightest idea:

  • you need access most, when internet connectivity is not given
  • few plastic routers have a battery backed RTC, so no real idea of time in the absence of internet connectivity
  • acme depends (HTTP-01 challenge) on opening the webserver running on the router to the open internet (albeit ideally only shortly), which is... not a soothing thought
  • it does magic stuff at elevated access rights (input sanitation!)
  • it totally fails in the typical NAT situation and multiple systems needing a certificate (don't tell me to scp/ rsync it back and forth…)
  • in my testing a few years ago, it was fragile in practice
  • the DNS-01 challenge claims to improve some of these concerns, but its practical implementation is totally bollocks (giving an embedded infrastructure device the access credentials (most don't have API keys restricted to 'just' changing zone info, but are the same to register/ delete domains or at least add/modifiy/remove DNS records nilly-willy) to your DNS registrar..!?)
  • and at least a few years back, the actual implementation for OpenWrt was rather fragile
  • insert ranting about common browsers making it needlessly hard/ scary here

tl;dr: my advice would be, don't - stick to self-signed certificates and tell your browser to stick it.