How to configure acme.sh to use dns challenge?

[saccleo]

After updating to version 3006, the built-in DDNS service asuscomm.com on ASUS routers is no longer available. Due to network restrictions preventing normal access to ports 80 and 443, how can I configure acme.sh to use DNS Challenge to apply for certificates?

 

[Jeffrey Young]

Are you asking how to use acme.sh for certificate management or how to use are on the router?

The firmware does have acme in it, but it is limited. You can install acme from their GitHub. The big thing is that you will always have to use the --home option to keep the script from using your router's home directory (which is in ramdisk).

Have a look in this thread...

[SOLUTION] asus-wrapper-acme.sh Adds --dns Support for Let's Encrypt Wildcard SAN Certs to Integrated Asus acme.sh Implementation

That's my gut feeling as well. Looking at the originalconfig-webgui.sh script again, I noticed that the *.pem files get copied to /jffs/ssl only if the /jffs/ssl directory exists ( [ -d /jffs/ssl ] } In that case, I am assuming that some Asus products put the keys in /jffs/ssl while others...

www.snbforums.com

 

[rung]

I don't use the Asus DDNS service anymore, but my Let's Encrypt cert had no issues renewing recently on 3006. I believe it temporarily opened port 80 to verify control of the no-ip domain name.

 

[Jeffrey Young]

I don't use the Asus DDNS service anymore, but my Let's Encrypt cert had no issues renewing recently on 3006. I believe it temporarily opened port 80 to verify control of the no-ip domain name.

More and more residential ISPs are blocking ports 80 and 443. You can tell acme to use a different port.

 

[rung]

More and more residential ISPs are blocking ports 80 and 443. You can tell acme to use a different port.

Thank you. I misread as OP reporting a new issue with 3006.

 

[saccleo]

More and more residential ISPs are blocking ports 80 and 443. You can tell acme to use a different port.

According to Let’s Encrypt's official documentation, certificate requests using HTTP-01 or TLS-ALPN-01 challenges require ports 80 and 443, respectively. However, due to network restrictions, these ports are unavailable. Previously, when using ASUS’s official DDNS service, certificate issuance worked correctly. Upon checking the configuration file /jffs/.le/yourddns.asuscomm.com_ecc/yourddns.asuscomm.com.conf , the line Le_Webroot='dns_asusapi' confirms that the DNS challenge was used for validation .

The issue now is that while manually installing acme.sh with DNS API integration allows certificate issuance, it requires setting up cron jobs for automation and manual certificate uploads every three months, which is cumbersome. I want to configure the built-in ACME client in the ASUS firmware to use DNS challenges for simplicity but have not found the relevant configuration options .

 

[saccleo]

Are you asking how to use acme.sh for certificate management or how to use are on the router?

The firmware does have acme in it, but it is limited. You can install acme from their GitHub. The big thing is that you will always have to use the --home option to keep the script from using your router's home directory (which is in ramdisk).

Have a look in this thread...

[SOLUTION] asus-wrapper-acme.sh Adds --dns Support for Let's Encrypt Wildcard SAN Certs to Integrated Asus acme.sh Implementation

That's my gut feeling as well. Looking at the originalconfig-webgui.sh script again, I noticed that the *.pem files get copied to /jffs/ssl only if the /jffs/ssl directory exists ( [ -d /jffs/ssl ] } In that case, I am assuming that some Asus products put the keys in /jffs/ssl while others...

www.snbforums.com

My question is:
when ports 80 and 443 are unavailable, how to configure buildin acme.sh to automatically apply and configure SSL certificates for third-party DDNS domains?

 

[Jeffrey Young]

The issue now is that while manually installing acme.sh with DNS API integration allows certificate issuance, it requires setting up cron jobs for automation and manual certificate uploads every three months, which is cumbersome. I want to configure the built-in ACME client in the ASUS firmware to use DNS challenges for simplicity but have not found the relevant configuration options .

You can automate the uploading of the certificates as well. Setting up a cron job is not a big job. Do it once, and forget about it.

Are you just using the certificates for secure access to your router (HTTPS)? The scripts shown in the link I posted above copy the certificates to the correct location and restart the router's web server as part of the renewal. If you need to use the certificates elsewhere, you can script that as well for automation. My renewal script copies the renewed certificates to four other servers and restarts/reloads the applications that require them. All I get every 60 days is an email telling me if the renewal and distribution of certificates went off OK or not.

As for the internal acme DNS API's, the only API available is AsusDNS (located at /usr/sbin/dnsapi/dns_asusapi.sh). Like all things router, acme.sh has been neutered down to only what Asus required. You could possibly upload other DNS API's into the JFFS or USB and bind mount the new API directory over Asus's dnsapi directory to use the internal acme.sh. I've never done that. When I first started down this rabbit hole (I was behind a double NAT at the time), I soon figured out that Asus's implementation of acme.sh was both too scaled back and too old - hence why I went with installing the full version of acme.sh on the USB drive.

I can post the script that I use to distribute the renewed certificates to other machines, if you want.