1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

IP Wan invalid for HTTPS certificate

Discussion in 'Asuswrt-Merlin' started by Cometti, Jul 18, 2019.

  1. Cometti

    Cometti New Around Here

    Joined:
    Jul 18, 2019
    Messages:
    5
    Hi,

    My IP WAN is ok...

    [​IMG]

    ...but the Server Certificate shows my LOCAL IP like this:
    upload_2019-7-18_17-28-50.png

    Lookup its ok for DDNS:
    [​IMG]

    Any idea to resolve this?!

    Thanks
     
    Last edited: Jul 18, 2019
  2. Jack Yaz

    Jack Yaz Part of the Furniture

    Joined:
    Apr 20, 2017
    Messages:
    2,469
    You left the domain un-redacted in the certificate screenshot btw
     
    Last edited: Jul 18, 2019
  3. Cometti

    Cometti New Around Here

    Joined:
    Jul 18, 2019
    Messages:
    5
    Thx!! Can you remove your quote please?
     
  4. adampk17

    adampk17 Regular Contributor

    Joined:
    Sep 17, 2013
    Messages:
    150
    World of Warcraft fan, I see.
     
  5. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,541
    Location:
    Canada
    Since most users have a dynamic WAN IP, the IP isn't used in the certificate, only the DDNS hostname. If you want to access through the WAN, use the DDNS hostname instead. Otherwise, a new certificate would have to be created every time your WAN IP changed (which might be daily for some users).
     
  6. Cometti

    Cometti New Around Here

    Joined:
    Jul 18, 2019
    Messages:
    5
    Thanks for the answer, but it's not me who chooses what will be generated in the certificate, it was the system itself that defined that IP
    How do I change the creation of the certificate to not be issued to the IP?

    upload_2019-7-19_7-54-32.png
     
  7. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,541
    Location:
    Canada
    That's just the CN. Modern browsers mostly look at the content of the SAN field now, in the Extended x509 attributes:

    upload_2019-7-19_9-54-26.png

    That's where your DDNS hostname (the *.asuscomm.com one) is being added, so it will be considered as valid for the DDNS hostname.
     
    L&LD likes this.
  8. Cometti

    Cometti New Around Here

    Joined:
    Jul 18, 2019
    Messages:
    5
    Interesting, here it shows that too
    upload_2019-7-19_11-25-44.png

    But Google Chrome continues to show that the certificate is invalid

    upload_2019-7-19_11-27-28.png

    Internet Explorer and Firefox too

    upload_2019-7-19_11-29-6.png

    upload_2019-7-19_11-31-32.png

    Any suggestion to fix?!
     
  9. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,541
    Location:
    Canada
    It's invalid because it's self-signed, as the error message indicates. This is perfectly normal. The only way to get rid of the error message is to manage your own CA. You could go with Let's Encrypt, but it's very unreliable on a router because of the large number of users within the asuscomm.com domain, causing renewals to randomly fail/be throttled.

    Just ignore it. It's perfectly secure, your browser is simply telling you it doesn't recognize who emitted that certificate.
     
  10. Cometti

    Cometti New Around Here

    Joined:
    Jul 18, 2019
    Messages:
    5
    Alright... Thx for the explanation!
     
  11. XIII

    XIII Very Senior Member

    Joined:
    Feb 27, 2014
    Messages:
    839
    I still like the idea of using Let's Encrypt.

    What if one owns a domain and redirects router.domain.com to hostname.asuscomm.com, would that prevent throttling?

    However, one still needs to enable web access from WAN to let either of those URLs actually open the router page? (So a No-Go?!)
     
  12. Makaveli

    Makaveli Very Senior Member

    Joined:
    Nov 4, 2016
    Messages:
    536
    Location:
    Canada
    This is why I prefer to let Pixelserv generate the Cert.
     
  13. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,541
    Location:
    Canada
    As long the acme client requests for your own domain, you'd be fine. You could then create a CNAME within your domain that will point to the asuscomm DDNS entry - that is how I have things setup myself (but with a different DDNS provider than Asus).

    That will require you to configure things manually tho, as the router client would request using the DDNS domain.
     
  14. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,541
    Location:
    Canada
    I use XCA to manage my own CA, that way I can have recognized certificates on every single device I have (including the 6-7 routers I routinely use for development purposes).
     
    Makaveli likes this.
  15. Jack Yaz

    Jack Yaz Part of the Furniture

    Joined:
    Apr 20, 2017
    Messages:
    2,469
    I use Cloudflare's free DNS for my own domain (purchased), and use DDNS from the router to dns-o-matic to update the A record for it. Works quite nicely for my needs!
     
  16. XIII

    XIII Very Senior Member

    Joined:
    Feb 27, 2014
    Messages:
    839
    But what about this part?

    Reason for asking: when I type https://hostname.asuscomm.com:8443 in my browser the web GUI does not open (https://192.168.1.1:8443 does), unless I enable remote web access from WAN (which I would like to prevent); even on my local network.

    (I'm OK-ish with manually updating the certificate every 90 days, or finding a way to automate that)
     
  17. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,541
    Location:
    Canada
    I don't know the details of Asus's implementation for validation, libletsencrypt is closed source.
     
  18. XIII

    XIII Very Senior Member

    Joined:
    Feb 27, 2014
    Messages:
    839
    I don't think I need that (when "manually" getting the Let's Encrypt certificates)?
    1. A CNAME record in the DNS settings of my domain is set to redirect router.domain.com to hostname.asuscomm.com
    2. External traffic on port 80 of the router is forwarded to a Raspberry Pi (for certbot)
    3. On this Pi I run certbot ("standalone") to generate a certificate and key for router.domain.com
    4. I upload the generated certificate and key on the admin page of the router
    When I enable web access from WAN this setup actually works: a green lock when I surf to https://router.domain.com:8443; a secure connection verified by Let's Encrypt.

    However, I thought it was strongly discouraged to enable web access from WAN due to security concerns?

    Do you guys really enable this, or do you use another way to get this to work? If so, how?
     
  19. Jack Yaz

    Jack Yaz Part of the Furniture

    Joined:
    Apr 20, 2017
    Messages:
    2,469
    I run LetsEncrypt in a Docker container and use DNS verification via the cloudflare plugin: https://hub.docker.com/r/linuxserver/letsencrypt/
     
  20. XIII

    XIII Very Senior Member

    Joined:
    Feb 27, 2014
    Messages:
    839
    @Jack Yaz Thank you for providing another option to do this.

    But my main question to any of you: do you enable web access to WAN on the router?

    If not, how can you use the (external) domain URL to access the router GUI (on your local network)?