pixelserv Enabling SSL for WebUI - Stuck (sorry!)

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

TexasDave

Occasional Visitor
Hello,

I upgraded my systems this weekend to the latest version of Merln and am now trying to do the next phase of getting back to where I was at.

I was under the impression that if I installed the complete Diversion, I would get pixelserv-tls. I can see that I do have pixelserv-tls and can see both the following active:

192.168.1.2/servstats
192.168.1.2/ca.crt

When I go to 192.168.1.2/ca.crt - I am able to download my cert.

I believe I can then use the "ps" command in amtm to enable SSL in the Web GUI?

The old script and the script now in amtm say:

"Before you proceed, pls have pixelserv-tls installed and running. You shall also have your Pixelserv CA cert imported on a test client."

pixelserv-tls installed and running (see above)

But I cannot seem to import the Pixelserv CA cert imported on a test client?

The instructions are here to import the cert and I have tried on Firefox, Chrome and Edge:

https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate
  • On Firefox - when I go to 192.168.1.2/ca.crt I do not get a "popup"....
  • For Chrome and Edge all looks to work but I cannot get the SSL to work.
Questions
  • On this page - do we ignore the items at the top and just use these instructions to add the cert to the browser?
  • Do we need to do anything in the WebUI? There is a section to install certs in the ADVANCED/WAN/DDNS? And to use http/https/both in ADVANCED/Adminstration/System? Or leave all of this be?
  • Running the ps script in amtm goes fine but I do not see the "lock" in any of the browsers
I have blown away Diversion and reset my USB a few times trying various things and while I see folks do have issues here - it seems that there must be a "standard" way of getting SSL to work on the WebUI? The issue is it seems to have changed over the years so I am afraid I am mixing items up?

Is there a post or a pointer in the best way to enable SSL in the WEB GUI in 2021? I am happy to delete Diversion. reformat my USB and start again?

Or is there some place I can look to understand why I cannot get my certs imported into my clients? That seems to be the main issue.

Thanks!
 

pdc

Regular Contributor
What kind of client do you have? I found I needed different instructions on Linux for example, and yes Firefox is tricky (I think newer versions require different steps).

If you can access https://<pixelserv ip>/servstats from the client with no issues, your pixelserv and client certs are working.

For the Web UI I had problems getting the amtm script to work as well. Here are my notes on what worked for me (replace <router> with your router IP or hostname):
# echo -n "<router>" > /tmp/pixelcerts
# cd /opt/var/cache/pixelserv
# cp <router> /etc/cert.pm
# cp <router> /etc/key.pm
# cp <router> /jffs/.cert/cert.pem
# cp <router> /jffs/.cert/key.pem
# service restart_httpd

I believe I also needed to mess around with the configuration at the WAN -> DDNS page using the above public/private keys, but unfortunately I didn't keep my notes for that part. It looks like this now:
Status : Active
Issued to : <router>
SAN :
Issued by : Pixelserv CA
Expires on : 2022/8/11

As a side note, I use 443 for the web port so I can just use https, though for that to work I needed to change the AiCloud port to something else in AiCloud settings since it uses 443 by default (even though I don't use AiCloud).
 

TexasDave

Occasional Visitor
@pdc - thank you for taking the time to try to help me!
 
  • Like
Reactions: pdc

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top