cannot enable HTTPS web access protocol

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
Cold-Lemonade
DD-WRT Novice


Joined: 27 Mar 2021
Posts: 17

PostPosted: Wed Apr 14, 2021 3:27    Post subject: cannot enable HTTPS web access protocol Reply with quote
Hi all. I've searched the forum and have seen others reference the same problem I am experiencing (using earlier firmware versions), but I have not see a remedy.

I am running DD-WRT v3.0-r46177 std (03/26/21) on a Netgear r7000.

Here's the problem: After logging into the router for the first time and setting a new router username and password, I go to "Administration -> Management" to select "HTTPS" as the web protocol and de-select "HTTP". Afterwards, I cannot log into the GUI using https://192.168.1.1 in my web browser. Even though I have de-selected "HTTP", I connect using http://192.168.1.1. when I use Microsoft Edge. In Firefox, I get "Secure Connection Failed" and nothing loads.

Has anyone else experienced this? I am concerned that this is a major security issue as someone sniffing around would be able to see me change the router passwords, including the username and password for the root user.
Sponsor
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1276

PostPosted: Wed Apr 14, 2021 21:17    Post subject: Reply with quote
I know that others will complain at my response, but if you are on a local secure point-to-point connection, you do not need encryption....

Sometimes https is broken and will not start, if you are comfortable with the command line you could check to see if it is starting or not crashing...

The other aspect is if you are using the same https self signed cert from dd-wrt, then we all have that exact one, I can not remember if the cert is generated on the fly.
Cold-Lemonade
DD-WRT Novice


Joined: 27 Mar 2021
Posts: 17

PostPosted: Thu Apr 15, 2021 1:14    Post subject: Reply with quote
Wildlion wrote:
Sometimes https is broken and will not start, if you are comfortable with the command line you could check to see if it is starting or not crashing...

The other aspect is if you are using the same https self signed cert from dd-wrt, then we all have that exact one, I can not remember if the cert is generated on the fly.


Thank you, Wildlion.

By command line, I assume you mean ssh into the router as the root user. Once I do that, how do I check to see if https is starting and not crashing? Also, how do I determine which certificate I'm using? I haven't done anything specific to my version of dd-wrt.

Is there a way to enable https via the command line instead of enabling it in the web GUI?
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12622
Location: Texas, USA

PostPosted: Thu Apr 15, 2021 1:56    Post subject: Reply with quote
Sorry I didn't respond sooner, but it's been discussed before:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=323469

https://svn.dd-wrt.com/ticket/3589

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Cold-Lemonade
DD-WRT Novice


Joined: 27 Mar 2021
Posts: 17

PostPosted: Thu Apr 15, 2021 2:22    Post subject: Reply with quote
kernel-panic69 wrote:
Sorry I didn't respond sooner, but it's been discussed before


Hi kernel-panic69. Thanks for pointing me to those two links. Please forgive my ignorance as I am very much a newbie, but the ticket doesn't indicate that this issue has been fixed. Is that correct?

Are there no commands that I can run at the command line that will enable the https GUI?
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12622
Location: Texas, USA

PostPosted: Thu Apr 15, 2021 3:11    Post subject: Reply with quote
If you read the thread I linked, @Wildlion mentions what the command line arguments should be to get it working, if I am not mistaken. This has been one of those ongoing things of it does and doesn't work. I've never seen a need to use it as I usually have access locked down to wired ethernet only and don't enable remote access from the WAN.
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Cold-Lemonade
DD-WRT Novice


Joined: 27 Mar 2021
Posts: 17

PostPosted: Thu Apr 15, 2021 14:28    Post subject: Reply with quote
kernel-panic96, I assume you mean:

Code:
httpd -n -S -p 80 -m 443


In that thread, Wildlion says "be sure to stop httpd first (so there are no conflicts)". How do I stop httpd? Is it as simple as issuing the following command?

Code:
httpd stop


I'm still learning Linux and greatly appreciate the kind guidance from the good people of this forum.

UPDATE 1:

I ssh'ed into my router. I then went to the /usr/bin directory and issued the following command to stop httpd.

Code:
service httpd stop


This command returned the following message: "httpd : daemon successfully stopped"

I then issued the command suggested by @Wildlion:

Code:
httpd -n -S - p 80 -m 443


This command returned the following messages: "httpd : httpd server started at port 80" and "httpd : httpd SSL server started at port 443"

However, when I try to connect to my router by going to https://192.168.1.1, my browser gives an error message: "Your connection isn't private."

What am I doing wrong?

UPDATE 2:

To provide a little more detail, when I try to connect my web browser to https://192.168.1.1, I eventually get the following output in my terminal window connected to the router via ssh:

httpd : Request Error Code 408: Unexpected connection close in initial request

What does this mean?
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12622
Location: Texas, USA

PostPosted: Thu Apr 15, 2021 15:52    Post subject: Reply with quote
The first error message is because it's a self-signed certificate. The second error is normal and benign. You will probably have to click whatever exception in your browser to get past the first error message and should be okay AFAIK.
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Cold-Lemonade
DD-WRT Novice


Joined: 27 Mar 2021
Posts: 17

PostPosted: Thu Apr 15, 2021 18:09    Post subject: Reply with quote
kernel-panic69 wrote:
The first error message is because it's a self-signed certificate. The second error is normal and benign. You will probably have to click whatever exception in your browser to get past the first error message and should be okay AFAIK.


Thank you kernel-panic69.

I have added 192.168.1.1 to the list of certificate exceptions in FireFox but I still get a message saying "Secure Connection Failed" and "The page you are trying to view cannot be shown because the authenticity of the received data could not be verified." This occurs on my laptop only which connects to the router using wifi. I have a desktop with a relatively fresh installation of Windows 10 Pro that's wired to the router and it can access 192.168.1.1. So puzzling.

Any thoughts?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 5124
Location: UK, London, just across the river..

PostPosted: Thu Apr 15, 2021 18:34    Post subject: Reply with quote
my https, on all my routers, its been fine for ages...
clear ffx cache and start all over..

chrome and chrome based browsers are not happy with DDWRT GUI...so, try to avoid those, FFx, Pale-moon, waterfox, opera...those i tried, best results pale-moon..

in my case its working...

click advanced, click accept risk and continue...

other solutions
reinstall firmware, start from scratch, manual rebuild do not load save files from different firmware builds...last Broadcom R7000 firmwares are fine, well at least those i run from my signature, but the last 46329 should be ok too..(highly reccomended)



Capture2.JPG
 Description:
 Filesize:  38.65 KB
 Viewed:  3413 Time(s)

Capture2.JPG



_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 49392 WAP
TP-Link WR1043NDv2 -DD-WRT 49418 Gateway,DNS,AP Isolation,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -DD-WRT 49418 Gateway,DNS,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -Gargoyle OS 1.13.0b AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 49418 Gateway,DNS,AD-Block,AP&Net Isolation,VLAN's,Firewall,DoT,Vanilla
Netgear R9000 --DD-WRT 49418 Gateway,DNS,AD-Block,AP Isolation,Firewall,Forced DNS,DoT,2,4Ghz only,Vanilla
Broadcom
Netgear R7000 ---DD-WRT 49418 Gateway,DNS,AD-Block,Firewall,Forced DNS,VLAN's,DoT,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1276

PostPosted: Thu Apr 15, 2021 22:39    Post subject: Reply with quote
yeah you may have to check on where your cert is in whatever browser you are using... if you are in firefox you will have to go to: about:preferences#privacy

and at the bottom it will be in the certs button, but be careful if you do not know what you are doing you can delete certs that you do need.

I already commented on the https need, but I have seen it broken before and if you have nothing else running you then will not be able to access the router
Cold-Lemonade
DD-WRT Novice


Joined: 27 Mar 2021
Posts: 17

PostPosted: Fri Apr 16, 2021 14:39    Post subject: Reply with quote
Something weird is going on with the web browsers on my laptop. I've added the exclusion for 192.168.1.1 to the certificates, but the laptop's browsers still can't connect to it. I get a more rudimentary message now. Just simple ASCII text saying: "we could not verify the certificate: reason = untrusted".

I am going to try flashing my router with the latest build of DD-WRT as Alozaros recommends. If that doesn't work, I'm contemplating installing a fresh copy of Windows 10 on my laptop.

Here is a very basic question: If I connect to my router's http (not https) over my LAN's wifi, my understanding is that my traffic is viewable to other devices on the same LAN. Is it viewable by devices outside the LAN, for example, by a tech-saavy kid in the neighborhood using his parents' computer? If the kid doesn't have access to my LAN, is my http traffic safe from him?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 5124
Location: UK, London, just across the river..

PostPosted: Fri Apr 16, 2021 19:33    Post subject: Reply with quote
Cold-Lemonade wrote:
Something weird is going on with the web browsers on my laptop. I've added the exclusion for 192.168.1.1 to the certificates, but the laptop's browsers still can't connect to it. I get a more rudimentary message now. Just simple ASCII text saying: "we could not verify the certificate: reason = untrusted".

I am going to try flashing my router with the latest build of DD-WRT as Alozaros recommends. If that doesn't work, I'm contemplating installing a fresh copy of Windows 10 on my laptop.

Here is a very basic question: If I connect to my router's http (not https) over my LAN's wifi, my understanding is that my traffic is viewable to other devices on the same LAN. Is it viewable by devices outside the LAN, for example, by a tech-saavy kid in the neighborhood using his parents' computer? If the kid doesn't have access to my LAN, is my http traffic safe from him?


did you try to clear browser cache already...?
than follow the steps, ive no idea how the crap Win 10 works, as i never use it on my routers...but it must not be related to browser incompatibility at all...
if you connect to your router GUI via http, than if anyone is sniffing on your LAN, he will catch your username and pass for the (GUI / routers interface)

connecting to your WiFi/using your WiFi, has nothing common with http to your router GUI...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 49392 WAP
TP-Link WR1043NDv2 -DD-WRT 49418 Gateway,DNS,AP Isolation,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -DD-WRT 49418 Gateway,DNS,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -Gargoyle OS 1.13.0b AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 49418 Gateway,DNS,AD-Block,AP&Net Isolation,VLAN's,Firewall,DoT,Vanilla
Netgear R9000 --DD-WRT 49418 Gateway,DNS,AD-Block,AP Isolation,Firewall,Forced DNS,DoT,2,4Ghz only,Vanilla
Broadcom
Netgear R7000 ---DD-WRT 49418 Gateway,DNS,AD-Block,Firewall,Forced DNS,VLAN's,DoT,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
Cold-Lemonade
DD-WRT Novice


Joined: 27 Mar 2021
Posts: 17

PostPosted: Sat Apr 17, 2021 1:43    Post subject: Reply with quote
Alozaros wrote:
did you try to clear browser cache already...?
than follow the steps, ive no idea how the crap Win 10 works, as i never use it on my routers...but it must not be related to browser incompatibility at all...


Thanks, I have cleared the browser cache in Firefox and Edge browsers and added the permissions to the certificate sections, and still I get the cannot connect messages. Truly puzzling.

I'm going to flash my router with the most recent DD-WRT build and see if that changes anything.
arpadf78
DD-WRT Novice


Joined: 01 Jan 2021
Posts: 5

PostPosted: Fri Jun 04, 2021 14:23    Post subject: Reply with quote
I'm not sure if my situation is unique; and I did something causing it (but I don't remember doing so)... I was getting the following error from Firefox:

Quote:
Error code: SEC_ERROR_INADEQUATE_KEY_USAGE


When Firefox is showing this error there is no option to click advanced and "accept the risk"; so I was forced to use IE just to access DD-WRT. Today I finally said "enough is enough" and started invesigating Smile

What I found out that I had the NewMedia-NET certificate in the People's tab inside the Certificate Manager (no ideea how it ended up there)

So I deleted the certificate from there and used the Add Exception option inside the Servers' tab (it seems to be equivalent of accepting the risk from the main page)

And now I can access DD-WRT using Firefox (89.0). Hopefully it helps somebody.



Firefox2.png
 Description:
Add the DD-WRT certificate here
 Filesize:  52.74 KB
 Viewed:  2907 Time(s)

Firefox2.png



Firefox1.png
 Description:
Delete the DD-WRT certificate from here
 Filesize:  32.05 KB
 Viewed:  2906 Time(s)

Firefox1.png


Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum