Menu
What's new
By:
Filters Better Search

Lets Encrypt vs Persistent

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

jtp10181

jtp10181

Senior Member
Is there an actual advantage to use the lets encrypt cert vs a auto generated one? I tried to import the LE cert to my trusted sites but when accessing the web GUI locally (via IP or router.asus.com) it complains the cert was issued for my ddns name instead. I have disabled WAN access to the GUI per recommendations, so using the DDNS url is useless at the moment. I thought when I had the auto cert I could access it from LAN or WAN without complaint once it was trusted, so the auto-cert seems to have an advantage.

Or do I just need to configure something differently?
 
Let's Encrypt will be automatically recognized as safe by all browsers (no need to import anything), while if you generate your own cert, you have to import the signing CA cert into the Trusted Root Authorities repository to get rid of the security warnings.

The LE cert will be only assigned to your DDNS address, while a self-signed (or otherwise custom generated cert) can be for any hostnames of your choice, including IP addresses.
 
Yeah the auto generated cert included the lan IP, Hostname, router.asus.com and the DDNS. That's the way to go for me for now.

Is there any possibility to get the LE cert to include all that also? I think I saw a tutorial for making your own. Would be cool if I could use that for pixelserv also and include 192.168.1.2 then you don't have to worry about importing any certs.


Sent from my iPhone using Tapatalk
 
RMerlin said:
Let's Encrypt will be automatically recognized as safe by all browsers (no need to import anything), while if you generate your own cert, you have to import the signing CA cert into the Trusted Root Authorities repository to get rid of the security warnings.

The LE cert will be only assigned to your DDNS address, while a self-signed (or otherwise custom generated cert) can be for any hostnames of your choice, including IP addresses.
Click to expand...

@RMerlin, I apologize in advance since I am sure you were asked this before, but where is the router admin's automatically generated CA cert located? I hope to finally import it into my system/browser..
 
Last edited:
If you are the new firmware and you go to the WAN > DDNS tab there is an Export button. I may be wrong but I think that's new since 382.x, I know the certificate settings moved to that tab also for 382 and I forget where it used to be, in Admin > System maybe.

You can also grab them from /jffs/ssl/ there is a cert.pem and key.pem . You only need the cert.pem and if you rename it to a .crt file you can double click to import on windows. For some reason I am thinking on older firmware they were hidden someplace else but maybe that was the pixelserv certs I had to hunt for. Anyways, you can always use 'find / -iname <string>' to find stuff. Comes in handy when I forget where things are.
 
jtp10181 said:
If you are the new firmware and you go to the WAN > DDNS tab there is an Export button. I may be wrong but I think that's new since 382.x, I know the certificate settings moved to that tab also for 382 and I forget where it used to be, in Admin > System maybe.

You can also grab them from /jffs/ssl/ there is a cert.pem and key.pem . You only need the cert.pem and if you rename it to a .crt file you can double click to import on windows. For some reason I am thinking on older firmware they were hidden someplace else but maybe that was the pixelserv certs I had to hunt for. Anyways, you can always use 'find / -iname <string>' to find stuff. Comes in handy when I forget where things are.
Click to expand...

Appreciate it!
 
jtp10181 said:
Is there any possibility to get the LE cert to include all that also?
Click to expand...

No. LE will only issue certificate for a FQDN that can actually be tested by them.
 
SMS786 said:
@RMerlin, I apologize in advance since I am sure you were asked this before, but where is the router admin's automatically CA cert located? I hope to finally import it into my system/browser..
Click to expand...

It does not generate a CA, only a self-signed certificate. If you want to setup your own CA, you have to do it outside of the router, and then import the certificate you will generate that's signed by that CA.
 
RMerlin said:
It does not generate a CA, only a self-signed certificate. If you want to setup your own CA, you have to do it outside of the router, and then import the certificate you will generate that's signed by that CA.
Click to expand...

Got it, thanks much!
 
You must log in or register to reply here.

Similar threads

R
DDNS unable to detect WANIP with Dual Wan Load Balancing enabled
Replies
0
Views
215
RandomUser777
R
M
Importing own certificate broken on 3004.388.6 ?
Replies
9
Views
758
RMerlin
RMerlin
kaanaslan
DSL-AC88U asuscomm DDNS Lets Encrypt Problem
Replies
0
Views
305
kaanaslan
kaanaslan
escape75
RT-AX68U Merlin vs. 3.0.0.4.388_24646
Replies
0
Views
437
escape75
escape75
L
Custom DDNS vs Drop Down List for Same Provider
Replies
3
Views
301
lukehjo
lukehjo
Similar threads
Thread starter Title Forum Replies Date
S Namecheap and let’s encrypt Asuswrt-Merlin 4
J Why do I need a Let's Encrypt certificate? Asuswrt-Merlin 11

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 667 (members: 34, guests: 633)
Top