What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

How to configure acme.sh to use dns challenge?

saccleo

Regular Contributor
After updating to version 3006, the built-in DDNS service asuscomm.com on ASUS routers is no longer available. Due to network restrictions preventing normal access to ports 80 and 443, how can I configure acme.sh to use DNS Challenge to apply for certificates?
 
Are you asking how to use acme.sh for certificate management or how to use are on the router?

The firmware does have acme in it, but it is limited. You can install acme from their GitHub. The big thing is that you will always have to use the --home option to keep the script from using your router's home directory (which is in ramdisk).

Have a look in this thread...

 
I don't use the Asus DDNS service anymore, but my Let's Encrypt cert had no issues renewing recently on 3006. I believe it temporarily opened port 80 to verify control of the no-ip domain name.
 
I don't use the Asus DDNS service anymore, but my Let's Encrypt cert had no issues renewing recently on 3006. I believe it temporarily opened port 80 to verify control of the no-ip domain name.

More and more residential ISPs are blocking ports 80 and 443. You can tell acme to use a different port.
 
More and more residential ISPs are blocking ports 80 and 443. You can tell acme to use a different port.
Thank you. I misread as OP reporting a new issue with 3006.
 
More and more residential ISPs are blocking ports 80 and 443. You can tell acme to use a different port.
According to Let’s Encrypt's official documentation, certificate requests using HTTP-01 or TLS-ALPN-01 challenges require ports 80 and 443, respectively. However, due to network restrictions, these ports are unavailable. Previously, when using ASUS’s official DDNS service, certificate issuance worked correctly. Upon checking the configuration file /jffs/.le/yourddns.asuscomm.com_ecc/yourddns.asuscomm.com.conf , the line Le_Webroot='dns_asusapi' confirms that the DNS challenge was used for validation .

The issue now is that while manually installing acme.sh with DNS API integration allows certificate issuance, it requires setting up cron jobs for automation and manual certificate uploads every three months, which is cumbersome. I want to configure the built-in ACME client in the ASUS firmware to use DNS challenges for simplicity but have not found the relevant configuration options .
 
Are you asking how to use acme.sh for certificate management or how to use are on the router?

The firmware does have acme in it, but it is limited. You can install acme from their GitHub. The big thing is that you will always have to use the --home option to keep the script from using your router's home directory (which is in ramdisk).

Have a look in this thread...

My question is:
when ports 80 and 443 are unavailable, how to configure buildin acme.sh to automatically apply and configure SSL certificates for third-party DDNS domains?
 
The issue now is that while manually installing acme.sh with DNS API integration allows certificate issuance, it requires setting up cron jobs for automation and manual certificate uploads every three months, which is cumbersome. I want to configure the built-in ACME client in the ASUS firmware to use DNS challenges for simplicity but have not found the relevant configuration options .

You can automate the uploading of the certificates as well. Setting up a cron job is not a big job. Do it once, and forget about it.

Are you just using the certificates for secure access to your router (HTTPS)? The scripts shown in the link I posted above copy the certificates to the correct location and restart the router's web server as part of the renewal. If you need to use the certificates elsewhere, you can script that as well for automation. My renewal script copies the renewed certificates to four other servers and restarts/reloads the applications that require them. All I get every 60 days is an email telling me if the renewal and distribution of certificates went off OK or not.

As for the internal acme DNS API's, the only API available is AsusDNS (located at /usr/sbin/dnsapi/dns_asusapi.sh). Like all things router, acme.sh has been neutered down to only what Asus required. You could possibly upload other DNS API's into the JFFS or USB and bind mount the new API directory over Asus's dnsapi directory to use the internal acme.sh. I've never done that. When I first started down this rabbit hole (I was behind a double NAT at the time), I soon figured out that Asus's implementation of acme.sh was both too scaled back and too old - hence why I went with installing the full version of acme.sh on the USB drive.

I can post the script that I use to distribute the renewed certificates to other machines, if you want.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top