I was able to get Let's Encrypt to issue a certificate from OpenWRT CC 15.05 and then use it for an internal host with Luci over HTTPS. No guarantee this configuration will work for you or that it is secure.
Create a free subdomain with DuckDNS.org. There are some other free subdomain providers, but they must be registered with the public suffix list to avoid quota limits on certificates with Let's Encrypt
Configure the DDNS package to have Openwrt automatically update DuckDNS with your WAN IP address
Install TLS to enable HTTPS on uhttpd
opkg install uhttpd-mod-tls
Enable uhttpd to respond to requests to your duckdns.org subdomain from devices on your private LAN. This is required because uhttpd seems to reject by default any requests from a private LAN host to the wan address, which is what your duckdns subdomain resolves to.
uci set uhttpd.main.rfc1918_filter='0'
Install packages required by the acme.sh script
opkg install coreutils-stat
opkg install netcat
Download and install acme.sh shell script from Neilpang on GitHub.
Edit this script to change the stand-alone webserver port to something other than 80 or 443 assuming you have uhttpd already running on those ports. Search for this line and change 80 to an open port number, such as 8080
Enable port forwarding on port 80 on WAN to the stand-alone webserver port selected in Step 7
# open port for HTTP validation
uci add firewall redirect
uci set firewall.@redirect[-1].target=DNAT
uci set firewall.@redirect[-1].src=wan
uci set firewall.@redirect[-1].proto=tcp
uci set firewall.@redirect[-1].src_dport=80
uci set firewall.@redirect[-1].dest=lan
uci set firewall.@redirect[-1].dest_ip=[YOUR OPENWRT LAN IP ADDRESS]
uci set firewall.@redirect[-1].dest_port=[THE PORT YOU CONFIGURED FOR THE SCRIPT, such as 8080]
# restart firewall
Generate the certificate with Let's Encrypt using the shell script's stand-alone webserver for HTTP authentication
acme.sh --issue --standalone -d example.duckdns.org
Assuming step 9 worked, close port 80 from WAN access that was opened in step 8
uci delete firewall.@redirect[-1]
# restart firewall
Configure uhttpd to use the Let's encrypt certificate and key generated in step 9
cp example.duckdns.org.cer /etc/uhttpd.crt
cp example.duckdns.org.key /etc/uhttpd.key
chmod 400 /etc/uhttpd.key
Restart the uhttpd webserver
Assuming that all worked, try to navigate to your duckdns subdomain from a PC on your LAN with HTTPS.
Note that Let's Encrypt expire after 90 days, so you'll need to setup a cron job or something to renew it.
(Last edited by languagegame on 4 Jun 2016, 08:07)