Firefox https connection

[Frost]

When I try to connect to the router AC87U with Firefox https, Firefox warns about the certificate, as before, but this time I cannot proceed when I make the exemption. The connection is closed when I use "admin" and password. The AC87U has the latest software from Merlin.

Yes, I need some good advice.

Regards
Frost

 

[KevTech]

When I try to connect to the router AC87U with Firefox https, Firefox warns about the certificate, as before, but this time I cannot proceed when I make the exemption. The connection is closed when I use "admin" and password. The AC87U has the latest software from Merlin.

Yes, I need some good advice.

Regards
Frost

Since you know everything is safe just make an exception and you will never have that warning for the router again: https://support.mozilla.org/en-US/kb/secure-website-certificate

 

[Adamm]

When I try to connect to the router AC87U with Firefox https, Firefox warns about the certificate, as before, but this time I cannot proceed when I make the exemption. The connection is closed when I use "admin" and password. The AC87U has the latest software from Merlin.

Yes, I need some good advice.

Regards
Frost

Follow these steps and add it to your trusted root certificates, the example is for chrome but I'm sure you can download the cert in a similar fashion on Firefox

 

[Frost]

Thanks for good advices from KevTech and Adamm, and I will need the advices.

When I tried to contact my bank, I also got trouble. Earlier this day I found information about V--, and they told me I had to close the javascript(not enable). When I made it enable, all trouble disappeared - so far?

Regards
Frost

 

[Asad Ali]

Looks like Firefox Quantum is too good in checking for self signed certificates.
I've imported the router's generated certificate properly in Windows and my iOS devices and I can see green padlock everywhere except Firefox.

So any way to fix that without making an exception?

 

[SMS786]

Mozilla acknowledges this and basically seems to say just live with it:

The certificate is not trusted because it is self-signed.

Error code: SEC_ERROR_UNKNOWN_ISSUER

Self-signed certificates make your data safe from eavesdroppers, but say nothing about who the recipient of the data is. This is common for intranet websites that aren't available publicly and you may bypass the warning for such sites.

 

[HarryH3]

Open About:config in Firefox. Set security.enterprise_roots.enabled to true and Firefox will now honor the system certificates. Note that this also bypasses Firefox's protection against malware that inserts fake certificates in the system certificate store, so it's not a risk-free choice. (But other browsers already trust the system cert store anyway).

More info here:
https://support.mozilla.org/en-US/questions/1175296#answer-1006092

 

[Asad Ali]

Open About:config in Firefox. Set security.enterprise_roots.enabled to true and Firefox will now honor the system certificates. Note that this also bypasses Firefox's protection against malware that inserts fake certificates in the system certificate store, so it's not a risk-free choice. (But other browsers already trust the system cert store anyway).

More info here:
https://support.mozilla.org/en-US/questions/1175296#answer-1006092

Unfortunately that method still gives me error on latest ( stable ) Firefox Quantum release.

 

[kvic]

Unfortunately that method still gives me error on latest ( stable ) Firefox Quantum release.

For pixelserv-tls users (any version..as old as 2.5 yrs ago also works), there is an easy way out in two steps:

Step 1: Import Pixelserv CA (generated by yourself) into Firefox. This should already be done. Otherwise, instructions here.

Step 2: Simply re-use the Pixelserv CA certificate for WebGUI. Instruction is here.

Alternatively, you may also use your Pixelserv CA to issue a distinct certificate to router's WebGUI by using pixelserv-tls. Assume your router's domain is "router.asus.com". Then

echo -n "router.asus.com" > /tmp/pixelcerts

Find your newly issued certificate named "_.asus.com" under /opt/var/cache/pixelserv. Now use this file and repeat Step 2 above.

Happy pixelserv'ing!

edit:

@thelonelycoder: there is potential to add this feature to your easy-to-use AMTM script

 

[SMS786]

For pixelserv-tls users (any version..as old as 2.5 yrs ago also works), there is an easy way out in two steps:

Step 1: Import Pixelserv CA (generated by yourself) into Firefox. This should already be done. Otherwise, instructions here.

Step 2: Simply re-use the Pixelserv CA certificate for WebGUI. Instruction is here.

Alternatively, you may also use your Pixelserv CA to issue a distinct certificate to router's WebGUI by using pixelserv-tls. Assume your router's domain is "router.asus.com". Then

echo -n "router.asus.com" > /tmp/pixelcerts

Find your newly issued certificate named "_.asus.com" under /opt/var/cache/pixelserv. Now use this file and repeat Step 2 above.

Happy pixelserv'ing!

edit:

@thelonelycoder: there is potential to add this feature to your easy-to-use AMTM script

I'm using Windows 10 and just did the above steps, I'm trying figure out mc (from entware) to copy my newly created cert to my usb stick so I can pull it out from there (accessing usb stick through Samba in Windows). Can anyone provide an easier/better way to do this? Admittedly I am a very novice linux user..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Edit: Nevermind! Forgot I had WinSCP installed *doh*

 

[kvic]

I'm using Windows 10 and just did the above steps, I'm trying figure out mc (from entware) to copy my newly created cert to my usb stick so I can pull it out from there (accessing usb stick through Samba in Windows). Can anyone provide an easier/better way to do this? Admittedly I am a very novice linux user..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Edit: Nevermind! Forgot I had WinSCP installed *doh*

A year or more ago, some users suggested a "download" function from within pixelserv-tls. Back then (and now too) I wanted to simply focus on core functionality and did it right and fast. Now thinking about it again, a URI such as "/ca.crt" to download the CA cert to client devices and quickly import from there seems a useful feature. Perhaps it'll get added to pixelserv-tls in a future v2.x release.

 

[Asad Ali]

A year or more ago, some users suggested a "download" function from within pixelserv-tls. Back then (and now too) I wanted to simply focus on core functionality and did it right and fast. Now thinking about it again, a URI such as "/ca.crt" to download the CA cert to client devices and quickly import from there seems a useful feature. Perhaps it'll get added to pixelserv-tls in a future v2.x release.

+1 +2 +100 +1000 +10000 to that please do it if you get enough time.

 

[kvic]

+1 +2 +100 +1000 +10000 to that please do it if you get enough time.

Okay, consider it done!

 

[Asad Ali]

Okay, consider it done!

Thanks

 

[Asad Ali]

For pixelserv-tls users (any version..as old as 2.5 yrs ago also works), there is an easy way out in two steps:

Step 1: Import Pixelserv CA (generated by yourself) into Firefox. This should already be done. Otherwise, instructions here.

Step 2: Simply re-use the Pixelserv CA certificate for WebGUI. Instruction is here.

I already tried that method before posting here but it gives the same error ( I tried again just now to double check ) so I assume FireFox is not obeying the imported root certificate file and still stubborn about it being self signed. :\

BTW I used the Web GUI's WAN->DDNS->Import/Persistent Auto-generated.
I assume it's the same as running the commands manually in the terminal.

Alternatively, you may also use your Pixelserv CA to issue a distinct certificate to router's WebGUI by using pixelserv-tls. Assume your router's domain is "router.asus.com". Then

echo -n "router.asus.com" > /tmp/pixelcerts

Find your newly issued certificate named "_.asus.com" under /opt/var/cache/pixelserv. Now use this file and repeat Step 2 above.

Happy pixelserv'ing!

When I run this command it gives me a "router.asus.com" file with .com extension but I need .crt and .key files to import into the router WEB UI so how can I do that?

 

[kvic]

@Asad Ali

Two things here: 1) FF acceptance of root CA cert. 2) ASUSWRT acceptance of a user provided cert.

#1 should work if pixelserv-tls users follow the guide I provided above to import your CA cert. Otherwise, FF users will not be seeing green padlocks when visiting pixelserv-tls servstats page and blocked ad domains. I can confirm I'm still seeing green padlocks on the latest FF Quantum. No errors nor warnings.

#2 My RT-AC56U is on 380.66. Up to that point #2 still works if people follow my other guide provided above. It's possible that ASUS might have moved some NVRAM variables a bit. I won't be able to test on any FW version after that. Adventurers like you and @SMS786 do have the potential to figure out and perhaps adapt the details of the steps a bit to make it work (if indeed the steps no longer applies to more recent FWs)

 

[Asad Ali]

@kvic Ok so indeed you're right here and me too can see green padlock on Firefox when I visit pixelserv-tls stats page so one thing is clear it's not Firefox root certificate acceptance issue.

I will now try the NVRAM method you posted and will check if that makes any difference.

 

[kvic]

@kvic I will now try the NVRAM method you posted and will check if that makes any difference.

Nice, pls keep us informed. Once the steps as-is or otherwise adapted to make it work, people can quickly come up with a script to automate the task for the majority of users.

 

[Asad Ali]

Nice, pls keep us informed. Once the steps as-is or otherwise adapted to make it work, people can quickly come up with a script to automate the task for the majority of users.

Ok so on further inspection I find two things, the Pixelserv issued certificate loads properly in the router web panel but it doesn't contain any SAN ( Subject Alternative Names ) and now I'm getting this exact error message even in other browsers too and not just in FireFox.

Spoiler

This server could not prove that it is 192.168.1.1; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.

Short Error Code: NET::ERR_CERT_COMMON_NAME_INVALID

Also when I open the pixelserv statistics page it still shows green padlock but the certificate details shows it's issued to only 192.168.1.2 ( My pixelserv is running on that IP ) so I think the certificate is not valid to use on the router and it might be a post 380.66 change since you are using the same certificate on your router without any issue.

@RMerlin Any valuable feedback from your side will be highly appreciated.
My Router is Asus RT-AC68U running on 384.4_beta3

 

[kvic]

Ok so on further inspection I find two things, the Pixelserv issued certificate loads properly in the router web panel but it doesn't contain any SAN ( Subject Alternative Names ) and now I'm getting this exact error message even in other browsers too and not just in FireFox.

This reminds me of a movement by the browser industry last year that all of them require SAN to be specified in the certificate. pixelserv-tls was updated to follow the industry's best practice as well.

Pls try the alternative method in my above post. That one should work. Briefly recap: if you use "router.asus.com" to access WebGUI, then put domain name as "router.asus.com" in the echo command. A cert with filename "router.asus.com" will be generated in /opt/var/cache/pixelserv.

Next open the certificate file, "router.asus.com" in a text editor. Extract the "BEGIN CERTIFICATE" section and save as "cert.pem" Extract the "BEGIN PRIVATE" section and save as "key.pem"

Finally repeat Step 1 in the original post. Use "cert.pem" in place of ca.crt and "key.pem" in place of ca.key in the instructions.

edit:
corrected typo in bold.