I was able to get Let's Encrypt to issue a certificate from OpenWRT CC 15.05 and then use it for an internal host with Luci over HTTPS. No guarantee this configuration will work for you or that it is secure.
Step 1
Create a free subdomain with DuckDNS.org. There are some other free subdomain providers, but they must be registered with the public suffix list to avoid quota limits on certificates with Let's Encrypt
Step 2
Configure the DDNS package to have Openwrt automatically update DuckDNS with your WAN IP address
Step 3
Install TLS to enable HTTPS on uhttpd
opkg update
opkg install uhttpd-mod-tls
Step 4
Enable uhttpd to respond to requests to your duckdns.org subdomain from devices on your private LAN. This is required because uhttpd seems to reject by default any requests from a private LAN host to the wan address, which is what your duckdns subdomain resolves to.
uci set uhttpd.main.rfc1918_filter='0'
uci commit
Step 5
Install packages required by the acme.sh script
opkg install coreutils-stat
opkg install netcat
Step 6
Download and install acme.sh shell script from Neilpang on GitHub.
Step 7
Edit this script to change the stand-alone webserver port to something other than 80 or 443 assuming you have uhttpd already running on those ports. Search for this line and change 80 to an open port number, such as 8080
Step 8
Enable port forwarding on port 80 on WAN to the stand-alone webserver port selected in Step 7
# open port for HTTP validation
uci add firewall redirect
uci set firewall.@redirect[-1].target=DNAT
uci set firewall.@redirect[-1].src=wan
uci set firewall.@redirect[-1].proto=tcp
uci set firewall.@redirect[-1].src_dport=80
uci set firewall.@redirect[-1].dest=lan
uci set firewall.@redirect[-1].dest_ip=[YOUR OPENWRT LAN IP ADDRESS]
uci set firewall.@redirect[-1].dest_port=[THE PORT YOU CONFIGURED FOR THE SCRIPT, such as 8080]
uci commit
# restart firewall
/etc/init.d/firewall restart
Step 9
Generate the certificate with Let's Encrypt using the shell script's stand-alone webserver for HTTP authentication
acme.sh --issue --standalone -d example.duckdns.org
Step 10
Assuming step 9 worked, close port 80 from WAN access that was opened in step 8
uci delete firewall.@redirect[-1]
# restart firewall
/etc/init.d/firewall restart
Step 11
Configure uhttpd to use the Let's encrypt certificate and key generated in step 9
cd ~/acme.sh/
cd example.duckdns.org
cp example.duckdns.org.cer /etc/uhttpd.crt
cp example.duckdns.org.key /etc/uhttpd.key
chmod 400 /etc/uhttpd.key
Step 12
Restart the uhttpd webserver
/etc/init.d/uhttpd stop
/etc/init.d/uhttpd start
Step 13
Assuming that all worked, try to navigate to your duckdns subdomain from a PC on your LAN with HTTPS.
Note that Let's Encrypt expire after 90 days, so you'll need to setup a cron job or something to renew it.
(Last edited by languagegame on 4 Jun 2016, 06:07)