How do I install free SSL certificates on asuswrt-merlin?

[PoloNes]

Hello,

Yesterday I installed a certificate in my Synology.
Is It possible to install this certificate on the router ?

https://www.sslforfree.com

You need not have a paid domain , I used the no-ip .

You can use any free domain.


Enviado do meu iPad Mini retina usando Tapatalk

 

[PoloNes]

I found a link to how to do, just do not know with the current firmware is possible.

You guys think it's possible ?
I'm afraid to do something wrong and the router stop working.

https://gist.github.com/davidbalbert/6815258


Enviado do meu iPad Mini retina usando Tapatalk

 

[sfx2000]

Can install like any other SSL cert... and you can have more that one...

Keep in mind that the SSLforFree/LetsEncrypt certs expire after 90 days at present (Jan 2, 2016), so you'll have to go back and renew/reissue if you don't want to have issues...

(I use another CA for my certs, and they're valid for one year, and the provider is outside of the US, which for some, is a valid concern)

 

[Nullity]

Why not self sign with your own CA?

 

[sfx2000]

Having a trusted CA is a big deal - esp. if running a public Web Server or doing Email with S-MIME...

I didn't mean to ding SSLforFree - it's an awesome service perhaps...

StartSSL is another provider outside of the US that provides free certs, and they're a trusted CA...

 

[sfx2000]

Why not self sign with your own CA?

Self-signing is ok, if your needs are specific - the external CA is an extra step with a 'trusted' third party...

 

[Nullity]

Self-signing is ok, if your needs are specific - the external CA is an extra step with a 'trusted' third party...

My mistake, I neglected to realize these were hosts intended to be publicly accessible. Carry on...

 

[mlai]

I followed the link and the procedure does not work on my AC88U on 380.57 anymore......

 

[unsynaps]

I followed the link and the procedure does not work on my AC88U on 380.57 anymore......

RT-AC87R running 308.57 and it works fine.

One thing the documentation on that page is missing is you need to go to Administration -> System and set "Authentication Method" to either 'HTTPS' or 'Both' BEFORE you do what that page says to do.

 

[lmerega]

That's insane.
I'm on RT-N66U with 380.63_2 version.
I cannot install any certificate.
I tried to commit nvram too, but it looks like something is going wrong.
I use the crt file for Apache... I used it on Tomato happily, now I cannot install it on my router.
Any idea?
The process is entirely done. The file is generated... the cert is still the first one asus generated :-(
Any help appreciated

Luca

 

[easyjoe]

On RT-68U with 380.63_2 same.
Writing text to the .pem files seems to be succesful.
But the Certificate remains the asus generated.
Would be great to get a solution, don't like much the idea to buy another router.

 

[lmerega]

Noone has the same issue?
Only two of us?

Thx again

Luca

 

[lmerega]

I do not know... I repeated the very same steps and now everything is working.
Good for me

Thx for the guide

Luca

 

[kreutpet]

created self sign certificate with my own CA
On RT-AC66U with 380.63_2 have the same issue.
saving the .pem files to /etc is succesful.
After service restart_httpd ...
Jan 1 21:26:21 rc_service: service 954:notify_rc restart_httpd
Jan 1 21:26:21 RT-AC66U: start httpd - SSL
Jan 1 21:26:24 syslog: Generating SSL certificate...
the Certificate are again self signed by router.

Any hint what i am doing wrong?

Thanks

 

[unsynaps]

You have to run it twice for some reason. Someone mentioned it in the comments. I had the same issue.

This is the script I wrote to change it.

#!/bin/sh

# Configure ports to something more sensible
nvram set webdav_https_port="8443"
nvram set https_lanport="443"
nvram set misc_httpsport_x="443"
nvram commit

# Set HTTPD to HTTPS only and restart
nvram set http_enable="1"
nvram commit
service restart_httpd
sleep 5s

# Clear old cert and restart
nvram set https_crt_save="0"
nvram unset https_crt_file
service restart_httpd
sleep 5s

# Set new cert and restart
nvram set https_crt_save="1"
cat /jffs/_setup/ssl/cert.pem > /etc/cert.pem
cat /jffs/_setup/ssl/key.pem > /etc/key.pem
service restart_httpd
sleep 5s

######
# Has to be run twice for some reason
######
echo
echo -- Doing it a second time because...

# Set HTTPD to HTTPS only and restart
nvram set http_enable="1"
nvram commit
service restart_httpd
sleep 5s

# Clear old cert and restart
nvram set https_crt_save="0"
nvram unset https_crt_file
service restart_httpd
sleep 5s

# Set new cert and restart
nvram set https_crt_save="1"
cat /jffs/_setup/ssl/cert.pem > /etc/cert.pem
cat /jffs/_setup/ssl/key.pem > /etc/key.pem
service restart_httpd
sleep 5s

 

[kreutpet]

Hi, many thanks for the scripts.

Jan 3 20:14:00 rc_service: service 848:notify_rc restart_httpd
Jan 3 20:14:00 RT-AC66U: start httpd - SSL
Jan 3 20:14:05 rc_service: service 853:notify_rc restart_httpd
Jan 3 20:14:05 RT-AC66U: start httpd - SSL
Jan 3 20:14:10 rc_service: service 859:notify_rc restart_httpd
Jan 3 20:14:10 RT-AC66U: start httpd - SSL
Jan 3 20:14:14 syslog: Generating SSL certificate...
Jan 3 20:14:19 rc_service: service 877:notify_rc restart_httpd
Jan 3 20:14:19 RT-AC66U: start httpd - SSL
Jan 3 20:14:19 syslog: Generating SSL certificate...
Jan 3 20:14:24 rc_service: service 890:notify_rc restart_httpd
Jan 3 20:14:24 RT-AC66U: start httpd - SSL
Jan 3 20:14:24 syslog: Generating SSL certificate...
Jan 3 20:14:29 rc_service: service 904:notify_rc restart_httpd
Jan 3 20:14:29 RT-AC66U: start httpd - SSL
Jan 3 20:14:33 syslog: Generating SSL certificate...

somehow the log tells that after 2nd restart of http server the restart always generates a self signed certificate

i guess then the issue is with my certificate which i generated with xca
maybe i am exporting the key and certificate in a wrong way from xca

i guess that the certification configuration in xca is not correct and is rejected in the mssl_init() function

thanks

 

[kreutpet]

i have looked into the mssl_init() function, but it looks like any error that would occur is not logged in syslog.

How to get log level modified to get logs form certification error?

thanks

 

[fuigo168]

Has anyone any luck with Asus firmware 3.0.0.4.382_18881 on RT-AC68U? I installed my custom SSL until recently a firmware update revert it back to the self-signed one. It was odd, because previous firmware updates didn't do that. I repeated the steps several times already, but still see the self-signed one on my router. Thanks in advance.

 

[xtropodx]

Is setting up & installing HTTPS/SSL Certificate on router necessary if I don't have a public website? Only using DDNS & router is only accessed locally via directly connected network or via VPN if accessed remotely.
Thanks.