Menu
What's new
By:
Filters Better Search

Why do I need a Let's Encrypt certificate?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

jsbeddow

Very Senior Member
Can someone refresh my memory on why we need the whole Let's Encrypt certificate in the first place? Presumably we only care about this if we insist on enabling https: access to the router and are shutting off simple http: access, right?
 
Last edited:
Thanks, I guess in my case I have never really needed either one. My DDNS seems to update just fine (OpenDNS) without needing a certificate, so is this only for the Asus DDNS service?
 
bennor said:
While the Lets Encrypt is generally for the DDNS service, if you see the "opening in web browser" link above they talk about using the Lets Encrypt DDNS certificate to access the router using HTTPS. See this link to the specific section talking about Lets Encrypt:
https://www.asus.com/us/support/FAQ/1034294/#lets
Click to expand...
Yes, sorry I worded that phrase poorly, I understand that it also is needed for https access to the router configuration pages.

That still seems to me to be overkill, as it really should only be accessible from inside my own lan, where if I need to be that concerned about http: vs. https: access then I've got bigger problems to address first.
 
jsbeddow said:
That still seems to me to be overkill, as it really should only be accessible from inside my own lan, where if I need to be that concerned about http: vs. https: access then I've got bigger problems to address first.
Click to expand...

Browsers are getting more strict over time - self-signed certs are robust, but the browsers don't care as they're not issued by real CA's...

Let's Encypt sorts that issue with the browsers...
 
jsbeddow said:
Can someone refresh my memory on why we need the whole Let's Encrypt certificate in the first place? Presumably we only care about this if we insist on enabling https: access to the router and are shutting off simple http: access, right?
Click to expand...
Yes, on the router, the "Let's Encrypt" certificate is really intended only for accessing the router's webGUI using the HTTPS protocol via a regular web browser *without* getting the now all-too-common "Not Secure" warning messages (e.g. "Your connection is not private" or "Warning: Potential Security Risk Ahead").

I believe the confusion or misunderstanding that many people have WRT "needing" a "Let's Encrypt" (LE) certificate with their DDNS service setup is due to the fact that those two items are found on the same webGUI page, and when a DDNS service account has been enabled & configured on the router, the LE certificate is then issued for the domain/hostname that was set up in the DDNS configuration. I'm guessing that this is done because ASUS assumes that you're going to enable access to the webGUI over the WAN (hence HTTPS), and for this scenario to work you likely need a DDNS service since your WAN IP address is most likely dynamic (unless you're explicitly paying for a static public IP address, your ISP can change your WAN IP at any time, for any reason).

So given the above scenario, it does appear as though the DDNS service requires the LE certificate, but that's incorrect. One can in fact set up the DDNS service account and have it working successfully without ever needing any website certificate. For example, you can enable & configure an OpenVPN server and use the "Hostname" that was set up for your DDNS account as the "remote" option argument, and it works without any LE certificate - no need to allow access to the webGUI over the WAN either.

My 2 cents.
 
jsbeddow said:
Can someone refresh my memory on why we need the whole Let's Encrypt certificate in the first place? Presumably we only care about this if we insist on enabling https: access to the router and are shutting off simple http: access, right?
Click to expand...
My assumption, going on all the questions I've seen answered previously, is "because it's there".
 
Last edited:
I want to resurrect this thread, please, because I'm still confused. I have external access to my router turned OFF, except through OpenVPN, on my Asus running Merlin 3004.388.4. I turned on HTTPS: only, configured Let's Encrypt, and set up DDNS. The main Asus Merlin "dashboard" shows my DDNS name.

I cannot access it via that name from any browser on my internal LAN. For example, on my wired PC, I got:
[redacted].asuscomm.com refused to connect.

I can access the router via its internal IP address, but then I have to add an exception to go there because:
This server couldn't prove that it's 192.168.5.1; its security certificate is from [redacted].asuscomm.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Should I be able to access the router from inside my LAN using the [redacted].asuscomm.com? Or is this only used if I want to turn on access to the router when I'm outside the LAN? (I really don't think I want the latter.)

By the way, from a CMD prompt, I can ping [redacted].asuscomm.com and get replies from my WAN IP address.
 
BGood said:
I want to resurrect this thread, please, because I'm still confused. I have external access to my router turned OFF, except through OpenVPN, on my Asus running Merlin 3004.388.4. I turned on HTTPS: only, configured Let's Encrypt, and set up DDNS. The main Asus Merlin "dashboard" shows my DDNS name.

I cannot access it via that name from any browser on my internal LAN. For example, on my wired PC, I got:
[redacted].asuscomm.com refused to connect.

I can access the router via its internal IP address, but then I have to add an exception to go there because:
This server couldn't prove that it's 192.168.5.1; its security certificate is from [redacted].asuscomm.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Should I be able to access the router from inside my LAN using the [redacted].asuscomm.com? Or is this only used if I want to turn on access to the router when I'm outside the LAN? (I really don't think I want the latter.)

By the way, from a CMD prompt, I can ping [redacted].asuscomm.com and get replies from my WAN IP address.
Click to expand...
It's been a long time but I thought I had a similar issue and the solution was to add the following line in the "Custom Configuration" of your VPN Server setup, using your DDNS name for xxxx.xx.xx:

Code: 
local xxxx.xx.xx

If I am mistaken in my memory of this and it doesn't work, I apologize.
 
BGood said:
I want to resurrect this thread, please, because I'm still confused. I have external access to my router turned OFF, except through OpenVPN, on my Asus running Merlin 3004.388.4. I turned on HTTPS: only, configured Let's Encrypt, and set up DDNS. The main Asus Merlin "dashboard" shows my DDNS name.

I cannot access it via that name from any browser on my internal LAN. For example, on my wired PC, I got:
[redacted].asuscomm.com refused to connect.

I can access the router via its internal IP address, but then I have to add an exception to go there because:
This server couldn't prove that it's 192.168.5.1; its security certificate is from [redacted].asuscomm.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Should I be able to access the router from inside my LAN using the [redacted].asuscomm.com? Or is this only used if I want to turn on access to the router when I'm outside the LAN? (I really don't think I want the latter.)

By the way, from a CMD prompt, I can ping [redacted].asuscomm.com and get replies from my WAN IP address.
Click to expand...
It's normally only used for WAN access.
However, I said normally. If you go into your LAN settings you can set it thus (using your example):

Selection_1.png


Just like accessing from the WAN, LAN access is by using your DDNS domain. As the domain is correct your cert would work fine.
 
Ripshod said:
It's normally only used for WAN access.
However, I said normally. If you go into your LAN settings you can set it thus (using your example):

View attachment 56013

Just like accessing from the WAN, LAN access is by using your DDNS domain. As the domain is correct your cert would work fine.
Click to expand...
Well, I gave this a try, but nothing changed, unfortunately:

Unable to connect

An error occurred during a connection to [redacted].asuscomm.com.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the web.
 
You must log in or register to reply here.

Similar threads

JA93
DuckDNS with LetsEncrypt
Replies
9
Views
4K
XIYO
XIYO
K
The dreaded "HTTPS is a relatively more secured web access protocol. We strongly suggest to enter the ASUS router setting page via HTTPS protocol."
Replies
16
Views
1K
Diablo99
Diablo99
S
Let's Encrypt uses FQDN for certificate
2
Replies
24
Views
5K
sbsnb
S
D
Everytime I type in 192.168.50.1 into the browser address bar, it redirects to http://router.asus.com
Replies
1
Views
852
ColinTaylor
C
K
Release Asus ZenWiFi Pro XT12 3.0.0.4.388_24177
Replies
17
Views
3K
KevTech
K
Similar threads
Thread starter Title Forum Replies Date
C Solved Need help with nat-start scripts Asuswrt-Merlin 3
G Need help with VPN Asuswrt-Merlin 2
C Need some help with a DHCP problem Asuswrt-Merlin 9
C Need help with GT-AXE11000 and DNS Director Asuswrt-Merlin 0
Spydawg need help with network loop. Asuswrt-Merlin 9
H Need instructions on compiling Merlin rom Asuswrt-Merlin 5
K Solved Need help to compile Realtek r8152 driver for RT-AX88U Asuswrt-Merlin 4
C Need urgent help with home internet w/ RT-AC68U! Willing to do anything to get this fixed! Asuswrt-Merlin 5
J Need to disable ipv6 dhcp server ip auto assignments in my lan. but leave ipv6 turned on for wan side. Asuswrt-Merlin 8
A Solved Need help setting up DDNS for cloudflare Asuswrt-Merlin 4

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 967 (members: 29, guests: 938)
Top