Hi all,

instead of "self-generated" TLS certificates, I'd like to use "Let's encrypt" certificates. Are there already any best practices, how to include them,...? I never used / added TLS certificates to a server.

Do I just have to create them and copy the .cert and .key file to the directories configured in /etc/config/uhttpd? Or are there still steps to consider?

What I don't like that much is that I always get a warning, when I enter the routers luci frontend. So it's not that big issue, but if there's a possibility to "fix" this, I would like to do that.

Thanks and kind regards,

Dirk

You have to convert the certificate to the format uhttpd understands. See here.
Then you simply copy the cert and the key to, let's say,  /etc/tls/ and configure uhttpd to use them.

My setup looks like this and works fine:

in /etc/config/uhttpd:

config uhttpd 'main'
#    list listen_http '0.0.0.0:80'
#    list listen_http '[::]:80'
    list listen_https '0.0.0.0:443'
    list listen_https '[::]:443'
    option redirect_https '1'
    option home '/www'
    option rfc1918_filter '1'
    option max_requests '3'
    option max_connections '100'
    option cgi_prefix '/cgi-bin'
    option script_timeout '60'
    option network_timeout '30'
    option http_keepalive '20'
    option tcp_keepalive '1'
    option ubus_prefix '/ubus'
    option cert '/etc/tls/uhttpd.crt'
    option key '/etc/tls/uhttpd.key'

(Last edited by groovy on 25 May 2016, 11:22)

Good Morning Groofy,

thanks a lot. Very helpful answer. I'll try this.

Thanks a lot and kind regards,

Dirk

I just tried to create the certificates with "Let's Encrypt" on my own. It didn't work for me on openwrt with an error. As I read I had to download > 40 MB additional tools. I think that's too much for my router. "Let's encrypt" sound to me like a very good idea, but like many Linux features it's not sooo user friendly for non-pros

I expected the "Let's encrypt" guys would offer a GUI where I can easily create my certificate. What a pitty they didn't.

But that's the point of Let's Encrypt, to do away with authentication, GUIs and all other sorts of processes. No authorization, no payments, no GUIs, just a public host they can directly validate and a matching set of scripts. That removes all sorts of barriers. They are not primarily trying to provide free certificates for everyone and their dog's IoT-enabled tag, they are striving to make the public web secure.

It has never been intended to replace self-signed certificates in an intranet context. They don't issue certificates for IP addresses or intranet hosts (in fact the whole CA Forum is moving away from that practice). And even if you managed to retrieve and deploy such a certificate you'd have to repeat the process every 90 days.

For more or less internal-only hosts, the alternative DNS challenge (DNS-01) might work better than the default, although that would need quite some integration work as well (and an additional risk of keeping your domain credentials on the router).

I was able to get Let's Encrypt to issue a certificate from OpenWRT CC 15.05 and then use it for an internal host with Luci over HTTPS.  No guarantee this configuration will work for you or that it is secure.

Step 1
Create a free subdomain with DuckDNS.org.  There are some other free subdomain providers, but they must be registered with the public suffix list to avoid quota limits on certificates with Let's Encrypt

Step 2
Configure the DDNS package to have Openwrt automatically update DuckDNS with your WAN IP address

Step 3
Install TLS to enable HTTPS on uhttpd

opkg update
opkg install uhttpd-mod-tls

Step 4
Enable uhttpd to respond to requests to your duckdns.org subdomain from devices on your private LAN.  This is required because uhttpd seems to reject by default any requests from a private LAN host to the wan address, which is what your duckdns subdomain resolves to.

uci set uhttpd.main.rfc1918_filter='0'
uci commit

Step 5
Install packages required by the acme.sh script

opkg install coreutils-stat
opkg install netcat

Step 6
Download and install acme.sh shell script from Neilpang on GitHub. 

Step 7
Edit this script to change the stand-alone webserver port to something other than 80 or 443 assuming you have uhttpd already running on those ports.  Search for this line and change 80 to an open port number, such as 8080

Le_HTTPPort=80

Step 8
Enable port forwarding on port 80 on WAN to the stand-alone webserver port selected in Step 7

# open port for HTTP validation
uci add firewall redirect
uci set firewall.@redirect[-1].target=DNAT
uci set firewall.@redirect[-1].src=wan
uci set firewall.@redirect[-1].proto=tcp
uci set firewall.@redirect[-1].src_dport=80
uci set firewall.@redirect[-1].dest=lan
uci set firewall.@redirect[-1].dest_ip=[YOUR OPENWRT LAN IP ADDRESS]
uci set firewall.@redirect[-1].dest_port=[THE PORT YOU CONFIGURED FOR THE SCRIPT, such as 8080]
uci commit

# restart firewall
/etc/init.d/firewall restart

Step 9
Generate the certificate with Let's Encrypt using the shell script's stand-alone webserver for HTTP authentication

acme.sh --issue --standalone -d example.duckdns.org

Step 10
Assuming step 9 worked, close port 80 from WAN access that was opened in step 8

uci delete firewall.@redirect[-1]
# restart firewall
/etc/init.d/firewall restart

Step 11
Configure uhttpd to use the Let's encrypt certificate and key generated in step 9

cd ~/acme.sh/
cd example.duckdns.org
cp example.duckdns.org.cer /etc/uhttpd.crt
cp example.duckdns.org.key /etc/uhttpd.key
chmod 400 /etc/uhttpd.key

Step 12
Restart the uhttpd webserver

/etc/init.d/uhttpd stop
/etc/init.d/uhttpd start

Step 13
Assuming that all worked, try to navigate to your duckdns subdomain from a PC on your LAN with HTTPS.

Note that Let's Encrypt expire after 90 days, so you'll need to setup a cron job or something to renew it.

(Last edited by languagegame on 4 Jun 2016, 06:07)

Hi languagegame,

thanks a lot for your description / introduction. Currently I'm trying to get my OpenVPN work (with help from the forum). To prevent side-effects I would afterwards try to make Luci work with your howto.

Thanks a lot and kind regards,

Dirk