Problems installing ACME.sh on [Fork] Asuswrt-Merlin 374.43_48E2 LTS

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

diamuxin

Occasional Visitor
Hi, has anyone managed to install the install-acme.sh script? I have followed all the steps:

From an ssh login, run install-acme.sh
The installer will
  • Download the latest version of ACME.SH from github
  • Install in /jffs/acme.sh
  • Update or create /jffs/configs/profile.add to support acme.sh
  • Create a script /jffs/scripts/renew-acme.sh to renew any generated certs
  • Setup a cron job in /jffs/scripts/services-start to perform auto cert renewal
After restarting my RT-AC66U and when I try to connect to it tells me that the Certificate is invalid.

Greetings.
 

john9527

Part of the Furniture
I just gave the tool to be able to generate/manage the cert ....you have to manually generate the cert based on your domain/DDNS provider and then install it where you want (I needed to generate a cert for remote access to an Emby server and the router was the easiest place).
Since the gen is dependent on where your domain is hosted and your DDNS provider, there really isn't a default case. I probably can gen up an example procedure for the router using asusddns.

My fault for not being more explicit about what I had included.
 
Last edited:

Wallace_n_Gromit

Senior Member
@Markster made a how to about using acme.sh for a synology DSM/Plex server. Maybe this will give you some ideas.

If you get it to work, fill us in. What worked, what you had to tweak, etc. TIA @diamuxin

This link
 
Last edited:

diamuxin

Occasional Visitor
@Markster made a how to about using acme.sh for a synology DSM/Plex server. Maybe this will give you some ideas.

If you get it to work, fill us in. What worked, what you had to tweak, etc. TIA @diamuxin

This link

Thanks,

I have a Synology NAS installed at home and an option is already implemented in the control panel to use a Lets Encrypt certificate, and in fact I am using it.

What I need is to use Lets Encrypt on my RT-AC66U so that I can access via SSL to the web ui but there is little information.

1615795948116.png
 

diamuxin

Occasional Visitor
I just gave the tool to be able to generate/manage the cert ....you have to manually generate the cert based on your domain/DDNS provider and then install it where you want (I needed to generate a cert for remote access to an Emby server and the router was the easiest place).
Since the gen is dependent on where your domain is hosted and your DDNS provider, there really isn't a default case. I probably can gen up an example procedure for the router using asusddns.

My fault for not being more explicit about what I had included.

OK, don't worry.

So, how to uninstall acme script?

Could you help me with an example on how to generate and install that Let's Encrypt certificate in your Folk Firmware? I would very much appreciate it.

Best regards.
 
Last edited:

john9527

Part of the Furniture
So, how to uninstall acme script?
Well shame on me a second time for no uninstall.:oops:
I've put an 'uninstall-acme.sh' script up with my other downloads in the Scripts folder. (Will be included in the next public release)

Could you help me with an example on how to generate and install that Let's Encrypt certificate in your Folk Firmware? I would very much appreciate it.
Sounds good to make an example for your use case.
Do you already have a domain registered? With who? (I haven't used the built in Merlin Let's Encrypt....can someone comment on what it uses for a domain?)
Who is your DDNS provider? Same as your domain registrar or separate?
Any ISP restrictions? (For example, I found out my ISP (Cox) blocks port 80)
 

diamuxin

Occasional Visitor
Well shame on me a second time for no uninstall.:oops:
I've put an 'uninstall-acme.sh' script up with my other downloads in the Scripts folder. (Will be included in the next public release)


Sounds good to make an example for your use case.
Do you already have a domain registered? With who? (I haven't used the built in Merlin Let's Encrypt....can someone comment on what it uses for a domain?)
Who is your DDNS provider? Same as your domain registrar or separate?
Any ISP restrictions? (For example, I found out my ISP (Cox) blocks port 80)
I do not use commercial domain. My DDNS provider is NOIP.COM, I use an address like "xxxxxx.sytes.net" (there are several types of noip domains to choose from). My ISP DDNS has no restrictions.

The idea is to remotely connect to my RT-AC66U router in this way:
or locally via VPN:
(either of them works for me)

Thanks for the uninstall script.
 

LeilaBD

New Around Here
I have had some success with the acme.sh script on my RT-N66U running firmware version 374.43_48E2j9527. I've run the script, generated a certificate and managed to install it but not yet to survive a reboot.

In case it is useful, I will describe what I have done and what I found helpful.

After looking at various bits of documentation and blog posts, including https://github.com/acmesh-official/acme.sh, I decided to try to use LetsEncrypt's DNS API mode with the Cloudflare API. I registered for a free Cloudflare account, set my DNS servers to Cloudflare, and set a DNS A record to point to my router: router.pentrehouse.uk. From my Cloudflare dashboard, I generated and made a note of my Cloudflare DNS API token, my Cloudflare account ID and the Cloudflare Zone ID for my domain.

I then logged in to my router using ssh and ran
install-acme.sh
Installing acme.sh to /jffs/acme.sh
rm: can't remove '/jffs/acme.sh-master/dnsapi': Directory not empty
rm: can't remove '/jffs/acme.sh-master': Directory not empty
Updating profile for acme.sh
Installing cron job for auto cert updates

I rebooted as instructed, logged in again, and at the ssh prompt set:
export CF_Token="long hex number"
export CF_Account_ID="another long hex number"
export CF_Zone_ID="one more long hex number"

Where the long hex numbers were the ones copied from my Cloudflare dashboard earlier. I then ran:
acme.sh --issue -d router.pentrehouse.uk --dns dns_cf
and all worked fine and created the certs as follows:

[Tue Mar 16 18:00:52 GMT 2021] Your cert is in /jffs/acme.sh/router.pentrehouse.uk/router.pentrehouse.uk.cer
[Tue Mar 16 18:00:52 GMT 2021] Your cert key is in /jffs/acme.sh/router.pentrehouse.uk/router.pentrehouse.uk.key
[Tue Mar 16 18:00:52 GMT 2021] The intermediate CA cert is in /jffs/acme.sh/router.pentrehouse.uk/ca.cer
[Tue Mar 16 18:00:52 GMT 2021] And the full chain certs is there: /jffs/acme.sh/router.pentrehouse.uk/fullchain.cer


Unlike some later routers I believe, the RT-N66U doesn't include in the GUI the ability to deploy a certificate, so I wanted to do this from the command line. I found a useful blog post and discussion about it at https://gist.github.com/davidbalbert/6815258

I eventually found that if I copied
/jffs/acme.sh/router.pentrehouse.uk/router.pentrehouse.uk.cer to be /etc/cert.pem and /jffs/acme.sh/router.pentrehouse.uk/router.pentrehouse.uk.key to be /etc/key.pem
and then concatenated the two files to create /etc/server.pem and restarted httpd:
cd /etc
cat key.pem > server.pem
cat cert.pem >> server.pem
service restart_httpd

I could take my browser to https://router.pentrehouse.uk:8443/ and look at the connection details and there was my certificate. Hoorah!

However, after trying various of the magical utterances from the https://gist.github.com/davidbalbert/6815258 thread, I have yet to find how to make the certificates survive a reboot. Any suggestions would be very welcome.
 

john9527

Part of the Furniture
I have yet to find how to make the certificates survive a reboot. Any suggestions would be very welcome.
You are 95% of the way there with what you have.....
Final step....run
https2jffs
from the command line
 

LeilaBD

New Around Here
That's brilliant! Works great. Thank you very much.
And thanks also @john9527 for all your work on this fork. I'm really pleased that my old router can still get regularly updated firmware.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top