Posted: Mon Aug 03, 2015 5:45 Post subject: Is this possible
I am trying to avoid the connection un-trusted error whenever I connect using https to my router. My thoughts are:
1. Create a CA that I add as a certificate to my browser using the instructions from http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
2. Use this CA to sign a new certificate for my router
3. Replace the current certificates on my dd-wrt router with the new signed certificates.
I am not sure which files are needed. Do I need all three file (cert.pem, key.pem, privkey.pen)?
Fast forward to 2017. HTTPS has become the norm. Browsers are rejecting self-signed certificates and other certificates without an issuer chain. And there is now a free service (letsencrypt.org) that will issue trusted certificates for your domain. Finally, Kong builds, at least, now include lighttpd servers by default.
I created a wiki article linked below that describes how to set up DD-WRT to use such a trusted, free certificate for a domain you control, served by lighttpd.
Fast forward to 2017. HTTPS has become the norm. Browsers are rejecting self-signed certificates and other certificates without an issuer chain. And there is now a free service (letsencrypt.org) that will issue trusted certificates for your domain. Finally, Kong builds, at least, now include lighttpd servers by default.
I created a wiki article linked below that describes how to set up DD-WRT to use such a trusted, free certificate for a domain you control, served by lighttpd.
Fast forward to 2017. HTTPS has become the norm. Browsers are rejecting self-signed certificates and other certificates without an issuer chain. And there is now a free service (letsencrypt.org) that will issue trusted certificates for your domain. Finally, Kong builds, at least, now include lighttpd servers by default.
I created a wiki article linked below that describes how to set up DD-WRT to use such a trusted, free certificate for a domain you control, served by lighttpd.
Awesome, now all my internal x86 dd-wrt routers are using Let's Encrypt certificates via nsupdate dnsapi. Have to find a decent way to script the replacement of httpd GUI certificates but all in all very neat piece of code. Thanks!
Posted: Thu Mar 05, 2020 11:24 Post subject: Setup certs from letsencrypt
Thanks to the OP for this solution. As things changed a little bit since his solution, I give an up to date one here.
As last visitor asked what to set, I post my actions.
I use letsencrypt on a different computer (not on the router).
I did the following all the actions are done on the router shell (so you have to know how to ssh to your router first):
mkdir -p /jffs/etc/ssl
ssh xxx.xxx.xxx.xxx # (ssh to my letsencrypt server)
cd /etc/letsencrypt/archive/my.domain.com
# here, you will find your keys (maybe several sets of them)
# So, you have to replace the _x_ in the following command by the latest number you find in this directory...
# 192.168.1.1 is the router's IP
scp privkey_x_.pem cert_x_.pem fullchain_x_.pem 192.168.1.1:/jffs/etc/ssl
...
exit # to return to the router
To use immediately, do:
stopservice httpd
mount -o bind /jffs/etc/ssl/key.pem /etc/key.pem
mount -o bind /jffs/etc/ssl/host.pem /etc/host.pem
mount -o bind /jffs/etc/ssl/cert.pem /etc/cert.pem
startservice httpd
# (here, ls /etc/*.pem should show files with the size of your certificates, and the connection to the router with your my.domain.com:port website should work with the certificate)
Then, to get the change at each reboot, go in the router website, Administration/Commands (page is called Diagnostics.asp). Click the Edit button in the startup text field, then add:
stopservice httpd
mount -o bind /jffs/etc/ssl/key.pem /etc/key.pem
mount -o bind /jffs/etc/ssl/host.pem /etc/host.pem
mount -o bind /jffs/etc/ssl/cert.pem /etc/cert.pem
startservice httpd
Click the "Save Startup" button at the bottom.
Don't forget that the certificates changes every 3 months... You have to plan something to get them here again at the next renewal.