Let's Encrypt import

[bluepoint]

Why is Edge Chromium not letting me import Let's Encrypt cert to the trusted root certificate? Actually, it does but it's not showing in the settings manage certificate of the browser therefore, I cannot access the https webui of the router. However, if I check through windows certmgr,msc the certificate is in the trusted root certs. See pics

 

[RMerlin]

You shouldn't to import anything. Let's Encrypt root cert is already recognized by all major browsers.

 

[bluepoint]

You shouldn't to import anything. Let's Encrypt root cert is already recognized by all major browsers.

If that's the case why can't I access the secured webui from the LAN?

 

[AurelM]

When using https and let's encrypt, the certificate is issued to the ddns hostname used by the router. Doing so means that the hostname can be resolved to a public ip address. Trying to access the router's webui from the lan using the hostname, means that the web browser tries to access through the same public ip, which means the wan interface, but this should be (and in most cases is) disabled, hence you cannot access it.

Using https and lan ip address to access the router's webui you get and invalid certificate error from the web browser since the certificate is issued to the ddns hostname of the router and you are using the ip, but you can choose to continue anyway and can access the webui.
You can import the router's certificate in the web browser certificate store as a trusted server to get around the warning, but you will have to do this approximately every three months when the let's encrypt certificate is renewed.

You could also: from the device you're trying to connect, use it's hosts (file) to point the router's ddns hostname to it's lan ip address and this will mean you can use the router's ddns hostname in the web browser address and access the webui without any issues, but you'll have to remember that from that device the ddns hostname will always resolve to the ip address you set in the aforementioned hosts (file). This means you have to do this from every device you are trying to connect from.
Alternatively, only if you use your router as your dns server (or as a dns filter to intercept all dns queries from the lan), you could set it up so it returns it's lan ip address when resolving for the ddns hostname. Same problem as above, the ddns hostname will always resolve to the router's lan ip from devices within the lan which use the router as the dns server.

However, since the router's webui should only be used from the lan, you can use http and avoid any headaches.

 

[bluepoint]

When using https and let's encrypt, the certificate is issued to the ddns hostname used by the router. Doing so means that the hostname can be resolved to a public ip address. Trying to access the router's webui from the lan using the hostname, means that the web browser tries to access through the same public ip, which means the wan interface, but this should be (and in most cases is) disabled, hence you cannot access it.

Using https and lan ip address to access the router's webui you get and invalid certificate error from the web browser since the certificate is issued to the ddns hostname of the router and you are using the ip, but you can choose to continue anyway and can access the webui.
You can import the router's certificate in the web browser certificate store as a trusted server to get around the warning, but you will have to do this approximately every three months when the let's encrypt certificate is renewed.

You could also: from the device you're trying to connect, use it's hosts (file) to point the router's ddns hostname to it's lan ip address and this will mean you can use the router's ddns hostname in the web browser address and access the webui without any issues, but you'll have to remember that from that device the ddns hostname will always resolve to the ip address you set in the aforementioned hosts (file). This means you have to do this from every device you are trying to connect from.
Alternatively, only if you use your router as your dns server (or as a dns filter to intercept all dns queries from the lan), you could set it up so it returns it's lan ip address when resolving for the ddns hostname. Same problem as above, the ddns hostname will always resolve to the router's lan ip from devices within the lan which use the router as the dns server.

However, since the router's webui should only be used from the lan, you can use http and avoid any headaches.

Ok, makes sense. Thanks. Does it makes your router more secure using let's encrypt cert over self signed certs for DDNS hostname purposes?

 

[RMerlin]

Ok, makes sense. Thanks. Does it makes your router more secure using let's encrypt cert over self signed certs for DDNS hostname purposes?

No. All it does is get rid of the security warning.