1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

IP Wan invalid for HTTPS certificate

Discussion in 'Asuswrt-Merlin' started by Cometti, Jul 18, 2019.

  1. Cometti

    Cometti New Around Here

    Joined:
    Jul 18, 2019
    Messages:
    5
    Hi,

    My IP WAN is ok...

    [​IMG]

    ...but the Server Certificate shows my LOCAL IP like this:
    upload_2019-7-18_17-28-50.png

    Lookup its ok for DDNS:
    [​IMG]

    Any idea to resolve this?!

    Thanks
     
    Last edited: Jul 18, 2019
  2. Jack Yaz

    Jack Yaz Part of the Furniture

    Joined:
    Apr 20, 2017
    Messages:
    2,357
    You left the domain un-redacted in the certificate screenshot btw
     
    Last edited: Jul 18, 2019
  3. Cometti

    Cometti New Around Here

    Joined:
    Jul 18, 2019
    Messages:
    5
    Thx!! Can you remove your quote please?
     
  4. adampk17

    adampk17 Regular Contributor

    Joined:
    Sep 17, 2013
    Messages:
    144
    World of Warcraft fan, I see.
     
  5. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,853
    Location:
    Canada
    Since most users have a dynamic WAN IP, the IP isn't used in the certificate, only the DDNS hostname. If you want to access through the WAN, use the DDNS hostname instead. Otherwise, a new certificate would have to be created every time your WAN IP changed (which might be daily for some users).
     
  6. Cometti

    Cometti New Around Here

    Joined:
    Jul 18, 2019
    Messages:
    5
    Thanks for the answer, but it's not me who chooses what will be generated in the certificate, it was the system itself that defined that IP
    How do I change the creation of the certificate to not be issued to the IP?

    upload_2019-7-19_7-54-32.png
     
  7. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,853
    Location:
    Canada
    That's just the CN. Modern browsers mostly look at the content of the SAN field now, in the Extended x509 attributes:

    upload_2019-7-19_9-54-26.png

    That's where your DDNS hostname (the *.asuscomm.com one) is being added, so it will be considered as valid for the DDNS hostname.
     
    L&LD likes this.
  8. Cometti

    Cometti New Around Here

    Joined:
    Jul 18, 2019
    Messages:
    5
    Interesting, here it shows that too
    upload_2019-7-19_11-25-44.png

    But Google Chrome continues to show that the certificate is invalid

    upload_2019-7-19_11-27-28.png

    Internet Explorer and Firefox too

    upload_2019-7-19_11-29-6.png

    upload_2019-7-19_11-31-32.png

    Any suggestion to fix?!
     
  9. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,853
    Location:
    Canada
    It's invalid because it's self-signed, as the error message indicates. This is perfectly normal. The only way to get rid of the error message is to manage your own CA. You could go with Let's Encrypt, but it's very unreliable on a router because of the large number of users within the asuscomm.com domain, causing renewals to randomly fail/be throttled.

    Just ignore it. It's perfectly secure, your browser is simply telling you it doesn't recognize who emitted that certificate.
     
  10. Cometti

    Cometti New Around Here

    Joined:
    Jul 18, 2019
    Messages:
    5
    Alright... Thx for the explanation!