Custom Certificates Upload?

[tdhite]

Searched extensively for info on cert uploads. Admittedly not scoured the code quite yet, but also I'm not able to get upload certs to work. Unit is RT68U, generally works well.

With that said, anyone have success on custom certificates upload? I have a particular need, so (at least for the moment) can't live with LE's specific certs or the generated ones.

Thanks for any pointers.

 

[L&LD]

Which '68U exactly? Which firmware is installed?

 

[tdhite]

RT-AC68R on 386.1_2

 

[tdhite]

Finally scoured sources -- seems mssl_cert_key_match is surely failing. Alas, no way to know without a fresh build of entire ROM due to stub-out of logging in mssl.c:

@RMerlin -- happy to PR a reasonably efficient debug print; this is a low frequency function set (i.e., mssl_* functions should not get called often). Observability in the area would be very helpful to many, I'd think. Don't want to push a PR if you'd not accept for some reason -- is there one?

Thanks for any comments.

 

[RMerlin]

Finally scoured sources -- seems mssl_cert_key_match is surely failing. Alas, no way to know without a fresh build of entire ROM due to stub-out of logging in mssl.c:

@RMerlin -- happy to PR a reasonably efficient debug print; this is a low frequency function set (i.e., mssl_* functions should not get called often). Observability in the area would be very helpful to many, I'd think. Don't want to push a PR if you'd not accept for some reason -- is there one?

Thanks for any comments.

What is the exact issue? I upload my own certificate to 7-8 different development routers here, without any problem.

 

[tdhite]

What is the exact issue? I upload my own certificate to 7-8 different development routers here, without any problem.

The exact issue is regardless of upload, autogenerated certs are forced. Because the key/cert pair are in /etc/key.pem and /etc/cert.pem (even if I manually place with appropriate script), httpd forces regeneration.

So the likelihood is one of:

1) certs are not in a pem form the system can swallow; or
2) cert form is somehow not supported (though they are just standard LE certs with other SANs involved that work fine on other platforms, namely certian vcenter/esxi hosts I have involved).

Given the code in httpd.c (though no logs available in mssl.c); pretty sure mssl_cert_key_match is returning failed cert check (repeating, because both pem files are properly in /etc).

 

[tdhite]

looking further, pretty sure the modulus check is the issue. i'm using EC private keys and looks like only specifically matched RSA/RSA or DSA/DSA key/cert pairs are allowed. Can't be certain, sure looks like it.

This begs for documentation and some observability to problems, imho. This is code we can control given it's visible. Let me know, as mentioned, happy to push a PR.

 

[RMerlin]

i'm using EC private keys and looks like only specifically matched RSA/RSA or DSA/DSA key/cert pairs are allowed. Can't be certain, sure looks like it.

That would be the most likely reason, as I have no problem with multiple routers using my own certificates (I manage a CA for my internal devices). EC were never officially supported either by Asus or myself.

If you want to do a PR to add EC validation to mssl, go ahead. I`ll review it and merge it in. I've had users report that EC certificates used to work in the past, so I suspect they stopped working after Asus added the validation to mssl.

 

[PaCo]

Im using dehydrated for signing certificates and the default key was ECC secp384r1

HTTPD was always generating new SSL certificates

Adding the option KEY_ALGO=rsa solved the problem

HTTPD mssl_cert_key_match : PASS

RT-AC86U 386.3

 

[ikruglov]

Hi

That would be the most likely reason, as I have no problem with multiple routers using my own certificates (I manage a CA for my internal devices). EC were never officially supported either by Asus or myself.

If you want to do a PR to add EC validation to mssl, go ahead. I`ll review it and merge it in. I've had users report that EC certificates used to work in the past, so I suspect they stopped working after Asus added the validation to mssl.

Hi. I've prepared a PR to validate EC certificates in mssl_cert_key_match(). https://github.com/RMerl/asuswrt-merlin.ng/pull/824

 

[RMerlin]

Hi


Hi. I've prepared a PR to validate EC certificates in mssl_cert_key_match(). https://github.com/RMerl/asuswrt-merlin.ng/pull/824

Thanks! I'll review it later today. If the commit isn't too invasive/risky, I should be able to include it in the next 388.1 beta release.

 

[ikruglov]

Thanks! I'll review it later today. If the commit isn't too invasive/risky, I should be able to include it in the next 388.1 beta release.

Commit is quite simple. It touches a single function in a file. It also follows the existing code pattern. It would be great to see it in 388.1. Thanks.