1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

HOWTO: use a Let's Encrypt ssl certificate on HTTPS web interface

Discussion in 'Asuswrt-Merlin' started by FreydNot, Mar 27, 2016.

  1. FreydNot

    FreydNot New Around Here

    Joined:
    May 31, 2015
    Messages:
    5
    This isn't a detailed howto. It's more like my notes about what I did to make it work. You should probably know what you are doing before attempting this. I've cobbled this together from various pages on the internet. Nothing is original to me. I am standing on the shoulders of giants.

    Why? No good reason really. I've always enabled Web Access from WAN and HTTPS authentication method so I can access my home router from work (or while I'm out and about). It has always bothered me that the certificate isn't considered valid by the web browser.

    For this to work you need to have access to a linux system inside your network. Yes, that's cheating. Fortunately for me I already had a Ubuntu VM running a Nagios that I could easily leverage.

    For this howto, swap occurances of router.example.com with the publically resolvable host name you've set up for your router. See the WAN - DDNS part of the router web interface for more info.

    Part 1: port 443 redirection
    Really you should do this just before you run letsencrypt-auto, but layout wise it fits better here...
    On the router, go to WAN and then Virtual Server / Port Forwarding
    set a rule that forwards port 443 to the linux VM you are installing Let's Encrypt on.

    Part 2: Install Let's Encrypt on the Ubuntu VM (that already has apache2 set up and running)
    Install git
    Code:
    sudo apt-get install git
    Get Let’s Encrypt
    Code:
    cd ~/
    git clone https://github.com/letsencrypt/letsencrypt
    Run Let's Encrypt for the first time and have it make a dummy cert. You are only allowed to generate 5 legit certs a week, so it's good to start out with a testing cert that doesn't count against your allowance.
    Code:
    sudo ~/letsencrypt/letsencrypt-auto --test-cert -d router.example.com
    It's going to install a lot of dependencies (like a lot). Just let it do it's thing. If it asks you any questions, answer them appropriately.

    If there were any problems, correct them before proceeding.

    Run it again without the test-cert flag to create a real certificate.
    Code:
    sudo ~/letsencrypt/letsencrypt-auto -d router.example.com
    Assuming everything went okay, you will now find your certificate files in /etc/letsencrypt/live/router.example.com/

    Now that the cert is made, you can turn off the port 443 redirection.

    Part 3: Put the certs on the router
    Open a shell on your router and verify https_crt_save is set to zero
    Code:
    [email protected]:/tmp/home/root# nvram get https_crt_save
    0
    Set https_crt_save to 1 and check to make sure it stuck.
    Code:
    [email protected]:/tmp/home/root# nvram set https_crt_save=1
    [email protected]:/tmp/home/root# nvram get https_crt_save
    1
    Put the contents of /etc/letsencrypt/live/router.example.com/privkey.pem (from your Ubuntu system) into /etc/key.pem on the router. Don't worry if something is already there, just delete it all first.

    Put the contents of /etc/letsencrypt/live/router.example.com/fullchain.pem (from your Ubuntu system) into /etc/cert.pem on the router. Don't worry if something is already there, just delete it all first.

    Verify https_crt_file is not set to anything
    Code:
    [email protected]:/tmp/home/root# nvram get https_crt_file
    [email protected]:/tmp/home/root#
    Restart httpd on the router
    Code:
    [email protected]:/tmp/home/root# service restart_httpd
    Check that https_crt_file is no longer empty (it should answer back with several lines of what looks like random characters).
    Code:
    [email protected]:/tmp/home/root# nvram get https_crt_file
    H4sIAG1T91YCA+1XybKjyJKtNV9Re1m3GMSgxVsEM0IgMQ87JjE...
    If you are a belt and suspenders type of person, go ahead and reboot the router (just for fun).

    Part 4: Verify it worked
    Point your browser to your https login page and make sure you don't get a warning about the certificate being invalid.

    Part 5: Renew the cert
    Let's Encrypt certs are only good for 90 days, so you will have to do this process over again every 3 months (or sooner). Realistically, the next time you need to log into your router you'll notice it's expired and go do something about it.

    To renew the cert, do the whole thing over again from part 1 to part 4. This time you should use this command so it won't ask all the questions again.
    Code:
    sudo ~/letsencrypt/letsencrypt-auto renew -d router.example.com
    That's it. Good luck.
     
    Cycle Mycle, redhat27, XIII and 3 others like this.
  2. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,414
    Location:
    Canada
    The purist in me finds it worrying that Letsencrypt lets you obtain a certificate for a domain which you don't legally own. While the intent is nice (moving as many websites as possible to SSL), I feel it weakens a bit the security provided by SSL certificates, as it no longer validates the ownership of a site - it only encrypts it. Maybe that's just my personal feeling there tho...
     
  3. FreydNot

    FreydNot New Around Here

    Joined:
    May 31, 2015
    Messages:
    5
    I don't think that is a fair characterization. The Let's Encrypt software requires communication with their mother ship over port 443 while validating the setup. This step proves you are in control of the server.

    Maybe a glossed over the details, but the Linux VM I created must be on the LAN side of the router and the publicly resolvable name must terminate at the WAN side of the same router.

    I guess you could argue that control does not equal ownership, but that seems like a narrow distinction in today's world.

    Edit: and you have to prove that relationship every 90 or the cert expires.
     
  4. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,414
    Location:
    Canada
    Yes, it proves that you control the server that will host the website (at least during the validation process). But if you had managed to hijack a domain's DNS, you would then be able to fully impersonate the hijacked website by obtaining a certificate for that domain. Sure, the real owner will sooner or later find out and regain control of his DNS, preventing you from renewing that certificate, but in the meantime you could have harvested/stolen a lot of important information, and people relying on a certificate to confirm they are really on the site they expect won't have that same level of trust anymore.

    Yes, it's a very specific scenario, but still one that makes me wonder about the possibility.
     
    Nullity, L&LD and ryzhov_al like this.
  5. FreydNot

    FreydNot New Around Here

    Joined:
    May 31, 2015
    Messages:
    5
    I see where you are coming from. IMHO if someone has hijacked you DNS the game is already lost. Nothing stopping you from altering the DNS records (physical address, email contacts or whatever) and applying for a more conventional cert. I believe the benefit (free encryption for everyone, making general SSL use more commonplace) is worth the slight risk you've outlined (an already compromised system being further compromised). Just my $0.02.
     
  6. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,414
    Location:
    Canada
    I guess that from now on, EV certificates will become something people will need to look at whenever trying to determine if the site they are accessing really is the correct one. More business for CAs selling those overpriced certificates I suppose :)
     
  7. yelo3

    yelo3 Regular Contributor

    Joined:
    Feb 20, 2014
    Messages:
    99
    I've tried to follow this procedure, but it failed: any suggestion?

    Code:
    sudo ./letsencrypt-auto --test-cert -d chieffo.homenet.org
    Checking for new version...
    Requesting root privileges to run letsencrypt...
       /home/tecla/.local/share/letsencrypt/bin/letsencrypt --test-cert -d chieffo.homenet.org
    No installers seem to be present and working on your system; fix that or try running letsencrypt with the "certonly" command
    
     
  8. FreydNot

    FreydNot New Around Here

    Joined:
    May 31, 2015
    Messages:
    5
    Whatever "donor" system needs to support the let's encrypt stuff. In my case it was a Ubuntu LAMP system. I believe they only support Apache2 for the automatic cert injection stuff at this time. Regardless, you should be able to get it working if you hack at it a bit. As the error message suggest, try the certonly command and see if that works. It won't install the cert into the local web server automatically, but you don't care since you are going to move the cert over to the router anyway.
     
  9. regfixit

    regfixit New Around Here

    Joined:
    May 4, 2016
    Messages:
    1
    It means you are not running a certificate installer (e.g apache) on the Linux machine you are running this on. However, you don't need to set one up, you can use the standalone mode. I have just done this successfully on a raspberry pi with this command:

    sudo ~/.local/share/letsencrypt/bin/letsencrypt certonly --standalone -d mydomain.co.uk,myasusdns.asuscomm.com

    Note that this also allows you to register using the Asus DDNS domain name. This is brilliant as other SSL issuers would require you to own the asuscomm.com domain !
     
  10. Cake

    Cake Senior Member

    Joined:
    Jun 20, 2014
    Messages:
    258
    I suppose some of you have heard about the email error 2 days ago. I was part of the 1.9%
    :-(
     
  11. FreydNot

    FreydNot New Around Here

    Joined:
    May 31, 2015
    Messages:
    5
  12. Cake

    Cake Senior Member

    Joined:
    Jun 20, 2014
    Messages:
    258
    Just plugged the email into a spreadsheet. I got 4,601 email addresses of other letsencrypt users. wow :(
     
  13. Chrysalis

    Chrysalis Senior Member

    Joined:
    Jan 11, 2013
    Messages:
    473
    Location:
    UK
    The letsencrypt authentication process is argued by some to be weaker than proving via control of the registrant email account. But there is 2 very clear benefits to letsencrypt.

    It is vastly increasing https adoption (as well as making signed certs much more common on email services).
    Second rogue certificates will expire much quicker without needing revocation, the long term plan is to have expiries much lower than the current 90 days perhaps eventually been only a few days.

    Also my email is on their systems but I have to yet to receive this update, I guess they never finished issuing it.
     
  14. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,025
    Location:
    San Diego, CA
    I agree - this is a bit of a opportunity for them to improve - and... there's potential for abuse perhaps because of what you mention above...
     
  15. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,025
    Location:
    San Diego, CA
    Letsencrypt is nice idea - but the cert period being 90 days is a bit short.

    startssl.com - give them a look - email s/mime takes only a minute, and they do have a free ssl cert for personal use.
     
  16. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,414
    Location:
    Canada
    90 days ain't much of a problem however due to their automated certificate renewal.

    I looked at some freebies these past few years, and many of then come with a few gotchas, often only mentioned in their fine prints, such as duration being less than a year, or being free only for the FIRST issue - renewals are being sold.
     
  17. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,025
    Location:
    San Diego, CA
    Startssl.com free certs are good for a year, they don't autorenew, but their system warns in advance.

    I've used them in both paid (work) and free (home).
     
  18. YasharF

    YasharF Regular Contributor

    Joined:
    May 17, 2014
    Messages:
    56
  19. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,025
    Location:
    San Diego, CA
    The investigation concluded that WoSign knowingly and intentionally misissued certificates in order to circumvent browser restrictions and CA requirements. Further, it determined that StartCom, another CA, had been purchased by WoSign, and had replaced infrastructure, staff, policies, and issuance systems with WoSign's. When presented with this evidence, WoSign and StartCom management actively attempted to mislead the browser community about the acquisition and the relationship of these two companies. For both CAs, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted CA.​
     
  20. Tinkerman

    Tinkerman New Around Here

    Joined:
    Dec 29, 2016
    Messages:
    1
    I was thinking of setting this up with a self signed certificate and installing it as a trusted cert on the few devices i use . I think that is an easier route. Any thoughts