Let's Encrypt uses FQDN for certificate

sbsnb

Very Senior Member
I'm trying to enable HTTPS for accessing the web interface to my RT-AX86U, but Let's Encrypt insists on using the the router's DDNS host name for the certificate. This breaks HTTPS because the DDNS host name resolves to the WAN IP instead of the LAN IP, and since accessing the router's UI from the WAN is disabled it doesn't work. If I use the LAN IP to open the UI I have to wade through all kinds of stupid browser tricks warning me that the certificate doesn't match.

Is there a way to configure Let's Encrypt not to use the domain name? I could generate a self-signed cert, but some browsers block them altogether. If they're not blocked you still have to repeatedly go through the same rigmarole as when the IP doesn't match the certificate.
 

Jeffrey Young

Very Senior Member
As far as I know, it is a policy of Let's Encrypt that FQDN be used and that the top domain is a recognized domain name.

Looking at https://www.asus.com/support/FAQ/1034294, I think you are stuck.
 

sbsnb

Very Senior Member
Ok. Thank you. I'll hold off on upgrading to 386.4 until there's a way to resolve it.

Ironic that Asus's idea of improving security is forcing you to open your router UI to the WAN.
 

Jeffrey Young

Very Senior Member
You might be able to do it with a custom ddns setting. See this wiki: https://github.com/RMerl/asuswrt-merlin.ng/wiki/DDNS-services

With the temperatures the way they are, I might play around with this as a "something to do" thing this weekend and see if I can get it working with just a local FQDN name.
 

Zastoff

Very Senior Member

Jeffrey Young

Very Senior Member

sbsnb

Very Senior Member
I use pixelserv-tls cert for webui
It can also be found in amtm : ps
and i access webui with: https://router.asus.com:8443/Main_Login.asp
I'm trying to avoid using the router.asus.com because it gets confusing when you remote admin routers. Which one is resolving to what with a tangle of VPNs, etc. It's far easier for to just to use the IP, which I have for two decades.
 

Jeffrey Young

Very Senior Member
I'm trying to avoid using the router.asus.com because it gets confusing when you remote admin routers. Which one is resolving to what with a tangle of VPNs, etc. It's far easier for to just to use the IP, which I have for two decades.

I agree. I have multiple ASUS routers in my network. Can't have them all thinking they are router.asus.com

I'm going to play with both options this weekend. It has my own interest peeked now. I am hoping that I can get it to work with just HTTPS:\\IP.ADDRESS
 

Jeffrey Young

Very Senior Member
I map router.mydomain.com to 192.168.1.1 in /jffs/configs/dnsmasq.conf.add to use LE certificates for the web interface.

I do the same now so that my DC controlled computers and DC can find the router via a FQDN in the domain. This, I think, might be the simplest method yet if you have DDNS already set up.

Love it
 

Jeffrey Young

Very Senior Member
I'm trying to avoid using the router.asus.com because it gets confusing when you remote admin routers. Which one is resolving to what with a tangle of VPNs, etc. It's far easier for to just to use the IP, which I have for two decades.

I get a 403 Forbidden when I try to access the script. Perhaps no longer available?
 

Jeffrey Young

Very Senior Member
I'm trying to avoid using the router.asus.com because it gets confusing when you remote admin routers. Which one is resolving to what with a tangle of VPNs, etc. It's far easier for to just to use the IP, which I have for two decades.
@sbsnb, looks like that script is no longer available. If you have a local copy, and is open source license, are you willing to share it somewhere?
 

elorimer

Very Senior Member
I think if you use the cert in /opt/var/cache/pixelserv (or download it from pixelservipaddress/ca.crt) you can follow the steps in the Asus FAQ here: https://www.asus.com/us/support/FAQ/1034294/

I looked for it in the wayback machine, and the instructions are there but not the script.
 

sbsnb

Very Senior Member
What script? I have always just used regular HTTP access. I only contemplated switching because I see people complaining about some built-in nag screen in the latest firmware if you're not using HTTPS.
 

Zastoff

Very Senior Member
@sbsnb, looks like that script is no longer available. If you have a local copy, and is open source license, are you willing to share it somewhere?
The pixelserv-tls cert for webui script?
You can run it from AMTM and ps
 

eZwa

Occasional Visitor
I map router.mydomain.com to 192.168.1.1 in /jffs/configs/dnsmasq.conf.add to use LE certificates for the web interface.
I've tried to map my router hostname to its' internal IP address, to no avail.

I have limited experience with DNSmasq config, but the entry I have in dnsmasq.config.add is:

Code:
address=/router.mydomain.com/10.10.10.1

This should be all that I need to do, correct?
 

Jeffrey Young

Very Senior Member
OK, so what is the end game here? Is it to access the router via a FQDN via https (https://router.mydomain.tld)? If so, using the --server directive is not what you want. The server directive in dnsmasq is used to redirect dns queries for a specific subdomain to another upstram server. What you want is to add an entry to the /jffs/configs/hosts.add file. The entry would be;

Code:
10.10.10.1    router.mydomain.tld

where 10.10.10.1 would be the IP address of your router and router.mydomain.tld is the FQDN of your Let's Encrypt certificate (CN).

The domain name router.mydomain.tld would have be match your common name in your certificate.

If the endgame here is to refer to your router as a an IP address using https (SSL/TLS), then I think you are out of luck. SSL/TLS just plainly does not work that way - by design. I can see some security issues if you could use SSL/TLS with an IP address as opposed to a FQDN.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top