Change SSL cert for HTTPS certificates

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Contributions Upload
Goto page Previous  1, 2, 3, 4
Author Message
jissa
DD-WRT Novice


Joined: 10 May 2015
Posts: 1

PostPosted: Mon Aug 03, 2015 5:45    Post subject: Is this possible Reply with quote
I am trying to avoid the connection un-trusted error whenever I connect using https to my router. My thoughts are:
1. Create a CA that I add as a certificate to my browser using the instructions from http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
2. Use this CA to sign a new certificate for my router
3. Replace the current certificates on my dd-wrt router with the new signed certificates.

I am not sure which files are needed. Do I need all three file (cert.pem, key.pem, privkey.pen)?

Will this work or not?

Thank you for all your help.

jissa
Sponsor
jtbr
DD-WRT Novice


Joined: 09 Mar 2017
Posts: 34

PostPosted: Sun Mar 26, 2017 14:05    Post subject: Reply with quote
Fast forward to 2017. HTTPS has become the norm. Browsers are rejecting self-signed certificates and other certificates without an issuer chain. And there is now a free service (letsencrypt.org) that will issue trusted certificates for your domain. Finally, Kong builds, at least, now include lighttpd servers by default.

I created a wiki article linked below that describes how to set up DD-WRT to use such a trusted, free certificate for a domain you control, served by lighttpd.

https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-DD-WRT-with-lighttpd

Hope it's helpful for somebody.
presb2k
DD-WRT Novice


Joined: 02 Nov 2017
Posts: 1

PostPosted: Fri Dec 08, 2017 11:36    Post subject: Reply with quote
jtbr wrote:
Fast forward to 2017. HTTPS has become the norm. Browsers are rejecting self-signed certificates and other certificates without an issuer chain. And there is now a free service (letsencrypt.org) that will issue trusted certificates for your domain. Finally, Kong builds, at least, now include lighttpd servers by default.

I created a wiki article linked below that describes how to set up DD-WRT to use such a trusted, free certificate for a domain you control, served by lighttpd.

https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-DD-WRT-with-lighttpd

Hope it's helpful for somebody.


Very much so, thanks.
duckasylum
DD-WRT Novice


Joined: 05 Dec 2017
Posts: 7

PostPosted: Mon Dec 18, 2017 13:35    Post subject: Reply with quote
jtbr wrote:
Fast forward to 2017. HTTPS has become the norm. Browsers are rejecting self-signed certificates and other certificates without an issuer chain. And there is now a free service (letsencrypt.org) that will issue trusted certificates for your domain. Finally, Kong builds, at least, now include lighttpd servers by default.

I created a wiki article linked below that describes how to set up DD-WRT to use such a trusted, free certificate for a domain you control, served by lighttpd.

https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-DD-WRT-with-lighttpd

Hope it's helpful for somebody.


Awesome, now all my internal x86 dd-wrt routers are using Let's Encrypt certificates via nsupdate dnsapi. Have to find a decent way to script the replacement of httpd GUI certificates but all in all very neat piece of code. Thanks!
tonivet
DD-WRT Novice


Joined: 07 Apr 2010
Posts: 8

PostPosted: Wed Jul 10, 2019 12:07    Post subject: Reply with quote
I only have: cert.pem, chain.pem, fullcahin.pem and privkey.pem but not key.pem Which of them to use?
ChristianFr
DD-WRT Novice


Joined: 17 Feb 2017
Posts: 3

PostPosted: Thu Mar 05, 2020 11:24    Post subject: Setup certs from letsencrypt Reply with quote
Thanks to the OP for this solution. As things changed a little bit since his solution, I give an up to date one here.

As last visitor asked what to set, I post my actions.
I use letsencrypt on a different computer (not on the router).

I did the following all the actions are done on the router shell (so you have to know how to ssh to your router first):
mkdir -p /jffs/etc/ssl

ssh xxx.xxx.xxx.xxx # (ssh to my letsencrypt server)
cd /etc/letsencrypt/archive/my.domain.com
# here, you will find your keys (maybe several sets of them)
# So, you have to replace the _x_ in the following command by the latest number you find in this directory...
# 192.168.1.1 is the router's IP
scp privkey_x_.pem cert_x_.pem fullchain_x_.pem 192.168.1.1:/jffs/etc/ssl
...
exit # to return to the router

cd /jffs/etc/ssl
ln -s privkey_x_.pem key.pem
ln -s fullchain_x_.pem host.pem
ln -s cert_x_.pem cert.pem

To use immediately, do:
stopservice httpd
mount -o bind /jffs/etc/ssl/key.pem /etc/key.pem
mount -o bind /jffs/etc/ssl/host.pem /etc/host.pem
mount -o bind /jffs/etc/ssl/cert.pem /etc/cert.pem
startservice httpd

# (here, ls /etc/*.pem should show files with the size of your certificates, and the connection to the router with your my.domain.com:port website should work with the certificate)

Then, to get the change at each reboot, go in the router website, Administration/Commands (page is called Diagnostics.asp). Click the Edit button in the startup text field, then add:
stopservice httpd
mount -o bind /jffs/etc/ssl/key.pem /etc/key.pem
mount -o bind /jffs/etc/ssl/host.pem /etc/host.pem
mount -o bind /jffs/etc/ssl/cert.pem /etc/cert.pem
startservice httpd

Click the "Save Startup" button at the bottom.

Don't forget that the certificates changes every 3 months... You have to plan something to get them here again at the next renewal.

I hope this helps...

Christian
Goto page Previous  1, 2, 3, 4 Display posts from previous:    Page 4 of 4
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Contributions Upload All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum