OpenWrt Forum Archive

Topic: https configuration for uhttpd

The content of this topic has been archived on 1 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello, I would like to run a https server on OpenWrt (Backfire) that is visible from WAN and certified by a CA recognized by most browsers.

If I put the ssl certificate and the corresponding private key file in /etc/uhttpd.crt and /etc/uhttpd.key respectively, the site works after opening port 443 on the firewall, but browsers still complain because of the lack of the certificate chain to the trusted authoritiy.

Question: where does this certificate chain file go and how to configure it in uhttpd? Just for the reference, in Apache, it is configured by SSLCertificateChainFile.

Thanks in advance!

Unfortunately, I may not be able to help you. However, I sure would like to ask if you can post here how did you come about (generate) these two files /etc/uhttpd.crt and /etc/uhttpd.key. I am sure a lot of readers here will benefit from it.

Thanks.

Paste your uhttpd configuration (in BBCode):

uci export uhttpd
mazilo wrote:

Unfortunately, I may not be able to help you. However, I sure would like to ask if you can post here how did you come about (generate) these two files /etc/uhttpd.crt and /etc/uhttpd.key. I am sure a lot of readers here will benefit from it.

Thanks.

That is fairly easy. Actually, you only generate the key; the certificate comes from the Certification Authority (CA). The most straightforward way for getting these files is first generating a key and a certification request using

openssl req

as described in the corresponding openssl man page (man req) and getting the request signed by some CA (see their corresponding webpages for instructions, they are quite different). Finally, you need to convert the private key and the certificate from the ascii-armored PEM format in which they are usually available to the more economical binary DER format used by uhttpd:

openssl rsa -in yourkeyfile.pem -outform DER -out uhttpd.key
openssl x509 -in yourcertfile.pem -outform DER -out uhttpd.crt

That's it.

written_direcon wrote:

Paste your uhttpd configuration (in BBCode):

uci export uhttpd

Nothing special:

package 'uhttpd'

config 'uhttpd' 'main'
    list 'listen_http' '0.0.0.0:80'
    list 'listen_https' '0.0.0.0:443'
    option 'home' '/www'
    option 'rfc1918_filter' '1'
    option 'cert' '/etc/uhttpd.crt'
    option 'key' '/etc/uhttpd.key'
    option 'cgi_prefix' '/cgi-bin'
    option 'script_timeout' '60'
    option 'network_timeout' '30'

In case it was not clear, you typically run openssl on your workstation, not on the OpenWrt device. While it is available for OpenWrt as well, there is no point in doing it there and many good reasons not to.

Instead of using the big openssl package you can install the px5g package.

written_direcon wrote:

Instead of using the big openssl package you can install the px5g package.

As I have said, you don't do this on your OpenWrt device, unless you absolutely have to. On a workstation, openssl is not an issue (it is very probably already installed). But yeah, if you have no other option (e.g. you are stuck with a wifi router and a smartphone with an ssh client but with no computer and you still want to get the work done), then px5g is the way to go.

(Last edited by nagydani on 16 Mar 2011, 16:08)

nagydani wrote:
mazilo wrote:

Unfortunately, I may not be able to help you. However, I sure would like to ask if you can post here how did you come about (generate) these two files /etc/uhttpd.crt and /etc/uhttpd.key. I am sure a lot of readers here will benefit from it.

Thanks.

That is fairly easy. Actually, you only generate the key; the certificate comes from the Certification Authority (CA). The most straightforward way for getting these files is first generating a key and a certification request using

openssl req

as described in the corresponding openssl man page (man req) and getting the request signed by some CA (see their corresponding webpages for instructions, they are quite different). Finally, you need to convert the private key and the certificate from the ascii-armored PEM format in which they are usually available to the more economical binary DER format used by uhttpd:

openssl rsa -in yourkeyfile.pem -outform DER -out uhttpd.key
openssl x509 -in yourcertfile.pem -outform DER -out uhttpd.crt

That's it.

Thanks.

But again, this will not get you a publicly accessible https server that browsers will accept as secure, because the certificate chain to the CA is missing. Does uhttpd have some configuration option for this? I'll take a look at the source code, if noone knows the answer.

nagydani wrote:

Does uhttpd have some configuration option for this? I'll take a look at the source code, if noone knows the answer.

Wiki: Web Server Configuration (uHTTPd)

written_direcon wrote:
nagydani wrote:

Does uhttpd have some configuration option for this? I'll take a look at the source code, if noone knows the answer.

Wiki: Web Server Configuration (uHTTPd)

Thank you, but that is where I started off. It does not answer my question.

However, I have looked into the source code and figured out the answer: you cannot. It is fairly easy to patch uhttpd to use certificate chains. I have done it and after sufficient testing will submit the patch to OpenWrt-devel mailing list. Stay tuned.

Hi nagydani,

Is the patch done? is uHTTPd working fine with https?
thanks in advance

ram_rattle wrote:

Is the patch done? is uHTTPd working fine with https?

Just for the record: I'm using uhttpd_2015-11-08 from a trunk build (r48648) of "Designated Driver", and certificate chains can be used here without problems.

I didn't even have to convert from PEM to DER, I just concatenated the server cert and intermediate certs into a single file:

cat /root/server.crt /root/1_root_bundle_1.crt /root/1_root_bundle_2.crt >uhttpd.crt

The discussion might have continued from here.