Change SSL cert for HTTPS certificates

Post new topic   Reply to topic    DD-WRT Forum Index -> Contributions Upload
Goto page Previous  1, 2, 3, 4  Next
Author Message
maddes.b
DD-WRT Novice


Joined: 27 Dec 2007
Posts: 36

PostPosted: Fri Feb 28, 2014 10:06    Post subject: Reply with quote
I do not see the files that are to be bound inside /jffs/etc:
my_certificate.pem for cert.pem
my_key.pem for key.pem
my_privkey.pem for privkey.pem

So check all file names that they match in /jffs/etc and in the script.



The easiest way to check if a config script is started is to write date and time into a text file, e.g.:

Code:
(place directly as the first commands after #!/bin/sh)
echo 'startup.config' >>/tmp/myconfig.log
date >>/tmp/myconfig.log

(and these after determination of MOUNT_PATH)
echo "  SELF_PATH: ${SELF_PATH}" >>/tmp/myconfig.log
echo "  MOUNT_PATH: ${MOUNT_PATH}" >>/tmp/myconfig.log

If it is not started, then check the owner, group and permission of the script plus all related DD-Wrt settings.
Additionally try to manually start the startup script and see if ${MOUNT_PATH} is correctly determined.

If it is started, then check out the log and it may have to be adapted to the new DD-Wrt release.

Maddes
Sponsor
sconstantine
DD-WRT Novice


Joined: 01 Feb 2012
Posts: 13

PostPosted: Tue Mar 04, 2014 4:52    Post subject: Reply with quote
Many thanks for your guidance Maddes; great diagnostic approach, turns out the startup script is not running. I've triple checked perms and ownership, I don't see anything preventing it from running, do you?

Code:

root@r7000:/jffs/etc/config# ls -la
drwxr-xr-x    2 root     root             0 Mar  3 18:49 .
drwxr-xr-x    4 root     root             0 Mar  3 18:49 ..
-rwxr-xr-x    1 root     root          1024 Mar  3 18:49 binds_on_mount.startup


As a test, I injected the output commands to echo myconfig.log into the 'startup command' in the GUI and it processed successfully; has something changed in the DD-WRT builds for startup configs (or am I missing something in the execute permissions)?

Thanks again~
maddes.b
DD-WRT Novice


Joined: 27 Dec 2007
Posts: 36

PostPosted: Tue Mar 04, 2014 17:38    Post subject: Reply with quote
@sconstantine:
Have you checked the file names in your startup script. They must correspond to the files in the folder.

Will try to check out the latest DD-Wrt build in the next weeks.
sconstantine
DD-WRT Novice


Joined: 01 Feb 2012
Posts: 13

PostPosted: Sun Mar 23, 2014 0:24    Post subject: Reply with quote
@maddes.b:

I've tried what feels like everything now. Have you had a chance to test on a newer WRT build? The only functional method I have at this time is with a startup script (thus unfortunately chewing up my NVRAM).

Many thanks again for your assistance!
maddes.b
DD-WRT Novice


Joined: 27 Dec 2007
Posts: 36

PostPosted: Wed Mar 26, 2014 2:55    Post subject: Still working in r23720 Reply with quote
@sconstantine:
Still working for me on r23720 (tested via /jffs). Will contact you via PM.
sconstantine
DD-WRT Novice


Joined: 01 Feb 2012
Posts: 13

PostPosted: Fri Mar 28, 2014 4:13    Post subject: Reply with quote
Got it working, sharing for anyone else with similar issue.

Turns out my problem was that the /jffs on my external USB was mounting *after* the /jffs automount from internal memory, therefore the .startup script I was modifying and testing was not actually running on startup but only when I manually tested it from the shell.

Simply disabled jffs2 in the WebUI as suggested here:
www.dd-wrt.com/phpBB2/viewtopic.php?t=88122

...and the startup script binds the certs perfectly on DD-WRT v24-sp2 linux kernel Version 3.10.25 #791 SMP

Thanks again for your help Maddes!!
kris18890
DD-WRT Novice


Joined: 06 Oct 2011
Posts: 28
Location: Belfast, Ireland

PostPosted: Tue Nov 25, 2014 23:40    Post subject: Reply with quote
tjcravey wrote:
Just put this in the Commands box on the Administration/Commands tab and click Save Startup. Replace the Xs with your actual keys/certs, of course.

Code:

mkdir /tmp/ssl

echo "-----BEGIN RSA PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----" > /tmp/ssl/key.pem

echo "-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----" > /tmp/ssl/cert.pem

chmod 0600 /tmp/ssl/key.pem

mount -o bind /tmp/ssl/cert.pem /etc/cert.pem
mount -o bind /tmp/ssl/key.pem /etc/key.pem

stopservice httpd
startservice httpd


I used the above on a Linksys E3000 SVN 24160 K3 (BrainSlayer) & it worked perfectly Smile
metsfan
DD-WRT Novice


Joined: 24 Feb 2015
Posts: 3

PostPosted: Tue Feb 24, 2015 16:09    Post subject: Reply with quote
kris18890 wrote:
tjcravey wrote:
Just put this in the Commands box on the Administration/Commands tab and click Save Startup. Replace the Xs with your actual keys/certs, of course.

Code:

mkdir /tmp/ssl

echo "-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----" > /tmp/ssl/key.pem

echo "-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----" > /tmp/ssl/cert.pem

chmod 0600 /tmp/ssl/key.pem

mount -o bind /tmp/ssl/cert.pem /etc/cert.pem
mount -o bind /tmp/ssl/key.pem /etc/key.pem

stopservice httpd
startservice httpd


I used the above on a Linksys E3000 SVN 24160 K3 (BrainSlayer) & it worked perfectly Smile


This bricked my WNR3500L. Trashed stuff in board_data. Sad

Had a WNDR3700v4 I'd been meaning to switch to lying around. Got jffs up and running on it, and just put this in startup:
Code:
mount -o bind /jffs/etc/ssl/cert-combined.pem /etc/cert.pem
mount -o bind /jffs/etc/ssl/key.pem /etc/key.pem
mount -o bind /jffs/etc/ssl/privkey.pem /etc/privkey.pem

stopservice httpd
startservice httpd


Works great! And not really too upset about losing the WNR3500L. May try to salvage it, but I like the new one better anyway.
maddes.b
DD-WRT Novice


Joined: 27 Dec 2007
Posts: 36

PostPosted: Tue Feb 24, 2015 17:21    Post subject: Reply with quote
@metsfan:
As stated in this post of this thread it is not a good idea to use NVRAM to store long keys.
Use JFFS on flash rom or a USB stick to keep the key as a file outside NVRAM (as you have done with your WNDR3700v4).
metsfan
DD-WRT Novice


Joined: 24 Feb 2015
Posts: 3

PostPosted: Wed Feb 25, 2015 1:17    Post subject: Reply with quote
maddes.b wrote:
@metsfan:
As stated in this post of this thread it is not a good idea to use NVRAM to store long keys.
Use JFFS on flash rom or a USB stick to keep the key as a file outside NVRAM (as you have done with your WNDR3700v4).


Yep, guess I learned my lesson. Smile
metsfan
DD-WRT Novice


Joined: 24 Feb 2015
Posts: 3

PostPosted: Wed Feb 25, 2015 5:52    Post subject: Reply with quote
Okay, now I've got another issue.

I'm using a StartCom Class 2 certificate. It uses an intermediate certificate that is not in all browser certificate stores. On other sites, I just concatenate the certificates together into one file, and it works fine.

Code:
cat mycert.pem intermediatecert.pem > cert.pem


It seems the dd-wrt httpd is only serving up my certificate, not the intermediate one as well. Has anyone run into this?

I guess it's not really a big deal. Desktop browsers seem to work. Chrome for Android (and online SSL testers) seem to be the only place it causes a problem.

Edit: Strangely, my Chrome Android issue has gone away here, now gives me the green lock. Online checker still says it's an incomplete certificate chain, though.
david.woodward
DD-WRT Novice


Joined: 12 Mar 2011
Posts: 6

PostPosted: Tue Mar 10, 2015 8:51    Post subject: Reply with quote
metsfan wrote:
Okay, now I've got another issue.

I'm using a StartCom Class 2 certificate. It uses an intermediate certificate that is not in all browser certificate stores. On other sites, I just concatenate the certificates together into one file, and it works fine.

Code:
cat mycert.pem intermediatecert.pem > cert.pem


It seems the dd-wrt httpd is only serving up my certificate, not the intermediate one as well. Has anyone run into this?

I guess it's not really a big deal. Desktop browsers seem to work. Chrome for Android (and online SSL testers) seem to be the only place it causes a problem.

Edit: Strangely, my Chrome Android issue has gone away here, now gives me the green lock. Online checker still says it's an incomplete certificate chain, though.


Same issue here. I am using an older build though (kongac build 24345M works best on my router). So, maybe I should try a newer build and see if the problem has been fixed.

For the time being I'm just going to add the intermediate CA to my Android certificate store. It creates an annoying "your network may be monitored" warning at boot, but I'd rather have that notification once on boot than this SSL error every time I browse to my router URL. Especially since Chrome on Android doesn't really give you enough information to know if you're the victim of a man-in-the-middle attack (can't view cert details).
molocho
DD-WRT Novice


Joined: 14 May 2014
Posts: 10

PostPosted: Mon Apr 27, 2015 19:22    Post subject: Reply with quote
metsfan wrote:
I'm using a StartCom Class 2 certificate. [...] Desktop browsers seem to work. [...]


StartCom Class 2: +1 here

I can't get it to work at all on 25408. I can confirm that the certificate content gets copied into the pem files which are mounted into /etc. Even when i restarted httpd service afterwards, every browser tells me the site is not reachable.

Would you write down a short tutorial on how you got at least this far? Thanks for your effort!
Searinox
DD-WRT Novice


Joined: 22 Dec 2010
Posts: 43

PostPosted: Tue Jun 23, 2015 17:20    Post subject: Reply with quote
Hello, I have a few questions about the auto-cert script. I couldn't get it to work.

I have put the following in Administration -> Commands and hit "Save Startup":

Code:

mkdir /tmp/ssl

echo "-----BEGIN RSA PRIVATE KEY-----

<KEY GOES HERE>-----END RSA PRIVATE KEY-----" > /tmp/ssl/key.pem

echo "-----BEGIN CERTIFICATE-----

<CERT GOES HERE>-----END CERTIFICATE-----" > /tmp/ssl/cert.pem

chmod 0600 /tmp/ssl/key.pem

mount -o bind /tmp/ssl/cert.pem /etc/cert.pem
mount -o bind /tmp/ssl/key.pem /etc/key.pem

stopservice httpd
startservice httpd


1. The format specified in the original post for the key is

"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxx".

Now I have taken this spacing ad literam and actually used as many characters as shown in that post, then hitting new row, and continuing. Was that needed or was it just for readability's sake and the cert is supposed to have no returns/new rows in the key? When I generated the cert in OpenSSL, it didn't use that separation.

2. I generated an RSA-4096 key instead of 2048. Are those supported or not? This is the command line I used:

Code:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 8192


Did I do anything wrong?

3. When I try to connect via HTTPS, both Firefox and Internet Explorer report a vague problem with the certificate just like before. But I would like to actually see the certificate. When you're connected to a website I know you can see its certificate, but when the connection is refused, is there any way to see it? I'd like to see if my cert is actually in there, and if it is readable at all.
ex3r
DD-WRT Novice


Joined: 21 Jan 2010
Posts: 33

PostPosted: Mon Jul 20, 2015 4:22    Post subject: Reply with quote
1. Drop the attached user-cert.startup file into /etc/config and make it executable

Downloaded and dropped the user-cert-startup file on to /etc/config.

My question is how can I make the file executable now?
Goto page Previous  1, 2, 3, 4  Next Display posts from previous:    Page 3 of 4
Post new topic   Reply to topic    DD-WRT Forum Index -> Contributions Upload All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum