Question on Setting up Scheduler for Wildcard Certificates and DDNS in Asuswrt-Merlin

[XIYO]

Hello,

I've been using the AC88U with firmware version 389.11.

My goal is to obtain a wildcard SSL certificate.
- I am aware that acme.sh is available on asuswrt-merlin.
- I also know how to get a wildcard certificate.

The issues I am facing are:
1. Creating a scheduler: Should I write this in `/var/spool/cron/crontabs/[my admin name]`?
2. The default UI only allows for applying DDNS to a single domain, and it issues certificates for that single domain as well.

My final intended setup is:
- DDNS for `mydomain.com` (without the `www`)
- SSL for `*.domain.com` (wildcard SSL)

I know I could bypass the router's built-in DDNS and certificate issuance by using nginx and acme directly, but I'm wondering if there's a more elegant solution.

I appreciate any insights you can provide. Have a great day!

 

[XIYO]

Hi! To create a scheduler for acme.sh, you can use command: echo "0 12 * * * /path/to/acme.sh --issue --cert-name *.domain.com" | sudo tee -a /var/spool/cron/crontabs/[your admin name]

"I apologize for using a translator. Thank you for your answer. My question is whether it is possible to issue a certificate with added options, as there is currently a basic feature for issuing certificates. If changing options is not possible, I plan to issue the certificate using the method you provided in your answer."

 

[Jeffrey Young]

I use acme on my AX88U to handle my certificate needs over two domains (including wildcard certs).

I have shared my scripts here before. If you can wait a few days until I am home again, I can share my scripts.

 

[Jeffrey Young]

Hi! To create a scheduler for acme.sh, you can use command: echo "0 12 * * * /path/to/acme.sh --issue --cert-name *.domain.com" | sudo tee -a /var/spool/cron/crontabs/[your admin name]

This will not survive a reboot. From your services-start script, use cru a <Cron format> to add a Cron job. Don't use the auto added Cron job acme wants to do. Does not work well.

 

[XIYO]

This will not survive a reboot. From your services-start script, use cru a <Cron format> to add a Cron job. Don't use the auto added Cron job acme wants to do. Does not work well.

Thank you for the answer.

Operating environment: AC88U(386.12)

My original goal was to renew the certificate every 90 days. However, according to CHATGPT4, the purpose of crontab is only to schedule repetitive tasks based on time, and the longest limit is 59 days. (Is this true? When was asuswrt's letsencrypt issued?)

Therefore, my revised goal is to renew the certificate on the 1st of every month.I will register a schedule of 0 0 1 * * in crontab.

I have two questions here:

The result of the

crontab -l
25 7 * * * sh /jffs/scripts/firewall banmalware #Skynet_banmalware#
14 1 * * Mon sh /jffs/scripts/firewall update #Skynet_autoupdate#
0 * * * * sh /jffs/scripts/firewall save #Skynet_save#
29 */12 * * * sh /jffs/scripts/firewall debug genstats #Skynet_genstats#
30 12 * * * service restart_letsencrypt #LetsEncrypt#

There was service restart_letsencrypt.

When I looked for it with the command

/sbin/find / -name "restart*"

, nothing came up. What does this mean? (I am currently blocked from issuing more letsencrypt certificates because I tried too many times today.)

Also, does asuswrt really issue a certificate every 12 hours and 30 minutes? Or does the interval change after the first issue? (Is there a reason to renew the certificate every day?)

 

[Jeffrey Young]

Question 1. The command is service, not restart.

Question 2. I don't use Asus's version of certificate manager, so I can't say.

I downloaded, installed and setup acme.sh on the router and scripted my own certificate manager for both the router and my other certificate requirements.

For the Cron job, I have Cron execute a script which calls a acme.sh renew call twice a day. Acme handles the rest. Acme checks the certificate(s) and if they are within a month of expiring, acme will renew them.

As I have said, I have shared my scripts before. Just do a search for them. I don't mind posting them again, but won't be for a for weeks. Not at home.