Router certificate not working using Chrome on Ubuntu 22.04

skeal

Part of the Furniture
I've been struggling with this for hours, I've scoured our site and google trying to find an answer that applies to my situation.

My situation is trying to install a working certificate in chrome on ubuntu to open the webui in https mode.

I have it working on windows 11 chrome, but my own Ubuntu 22.04 chrome, throws an Err Invalid Cert page when trying to use the same exported certificate. I have installed the certificate into Ubuntu certificate store, and imported the same file into Chrome itself. My router settings are pictured below.I've restarted the browser as well as restarted the computer itself. By rights this should work, but of course it's not.

Any of my friends here know how to get this working? I read somewhere there's a way to get Chrome to trust the Ubuntu Certificate store but nothing relevant to Ubuntu 22.04 can I find.
Are there any people out there that have this working on Ubuntu Chrome? Please advise this is driving me crazy. I have medium experience with Ubuntu.

Update: Mozilla on Ubuntu says there is no ownership information when negotiating the certificate. Could this be part of the problem? In windows the certificate is valid and used, without error or notation of problems.

Thanks
Steve

ASUS-Wireless-Router-RT-AX88U-DDNS.png
 
Last edited:

skeal

Part of the Furniture
The FAQ's supplied by Asus on this (there are two) either force you to use web access from WAN, or explains after unzipping cert.tar that you should find a cert.crt file. This is wrong also as the cert.tar contains two files, cert.pem and key.pem. Also the instructions do not include Ubuntu, they only apply to windows.

The links are here:
https://www.asus.com/us/support/FAQ/1034294/
https://www.asus.com/support/FAQ/1045854/
 

skeal

Part of the Furniture
Bump
 

skeal

Part of the Furniture
If you haven't tried it already, rename the file extension from .pem to .crt and try to import into Ubuntu. See the following link for more steps that may need to be taken:
https://help.computerisms.ca/How_to_import_Certificate_Authority_in_Ubuntu
I was successful in adding the certificate to ubuntu. I also am aware of the import of certificates into chrome as well and did so. I followed a similar article about this with the same instructions. The certificate doesn't work on Ubuntu or Ubuntu Chrome or both.
 

skeal

Part of the Furniture
Any ideas @RMerlin ? I know this isn't necessary for a home environment, but I took on a renter and would like to implement this if possible, please. Is this a known issue? Are you able to get it to work on your Ubuntu?
 

skeal

Part of the Furniture
If I understand this correctly, it would seem a letsencrypt certificate may work; however you would be required to update Ubuntu's key storage every 90 days as the certificate is renewed. That's a pain in the butt, as far as I know you would have to remove the current certificate, and then install the new one generated by your router. I wish the asuswrt-merlin certificate would work.
 

dave14305

Part of the Furniture
If I understand this correctly, it would seem a letsencrypt certificate may work; however you would be required to update Ubuntu's key storage every 90 days as the certificate is renewed. That's a pain in the butt, as far as I know you would have to remove the current certificate, and then install the new one generated by your router.
Wouldn’t the Let’s Encrypt certificate always be trusted by Chrome out-of-the-box because it’s always signed by a trusted CA?
 

RMerlin

Asuswrt-Merlin dev
Any ideas @RMerlin ? I know this isn't necessary for a home environment, but I took on a renter and would like to implement this if possible, please. Is this a known issue? Are you able to get it to work on your Ubuntu?
I don't know, I don't use Linux desktops.
 

skeal

Part of the Furniture
Wouldn’t the Let’s Encrypt certificate always be trusted by Chrome out-of-the-box because it’s always signed by a trusted CA?
LetsEncrypt renews the certificate on the router by design at 90 day intervals. This cannot be changed. So when the certificate renews the one on the Ubuntu desktop previously installed won't match anymore. So you would have to change it out to get it to work again. With Windows this will be easy but Ubuntu not so much.
 

skeal

Part of the Furniture
I don't know, I don't use Linux desktops.
From what I understand the asuswrt-merlin certificate lacks valid ownership information.
 

dave14305

Part of the Furniture
LetsEncrypt renews the certificate on the router by design at 90 day intervals. This cannot be changed. So when the certificate renews the one on the Ubuntu desktop previously installed won't match anymore. So you would have to change it out to get it to work again. With Windows this will be easy but Ubuntu not so much.
What’s the point of a Let’s Encrypt certificate if the browser won’t trust its signature? No one would use Let’s Encrypt if users still had to trust each individual certificate it signed.
 

XIII

Very Senior Member
Indeed.

Ubuntu 22.04 should trust it (without importing anything), according to this documentation:

 

skeal

Part of the Furniture
What’s the point of a Let’s Encrypt certificate if the browser won’t trust its signature? No one would use Let’s Encrypt if users still had to trust each individual certificate it signed.
I know the certificate from LetsEncrypt will in fact work however the maintenance to keep it going is at least ever 90 days. The Asuswrt-merlin certificate lasts for years, but lacks some information in the certificate itself, required by Ubuntu Chrome, and the Ubuntu certificate system. The certificate is installed where it should be but isn't used due to being invalid.
 

skeal

Part of the Furniture
Indeed.

Ubuntu 22.04 should trust it (without importing anything), according to this documentation:

It does work but letsencrypt renews the certificate on the router every 90 days. Thus making the one on your Ubuntu desktop break.
 

skeal

Part of the Furniture
What’s the point of a Let’s Encrypt certificate if the browser won’t trust its signature? No one would use Let’s Encrypt if users still had to trust each individual certificate it signed.
This does work on windows for some reason.
 

dave14305

Part of the Furniture
It does work but letsencrypt renews the certificate on the router every 90 days. Thus making the one on your Ubuntu desktop break.
One of us misunderstands how CA-signed certificates work. But I’m not sure who it is when Linux is thrown into the mix.
 

RMerlin

Asuswrt-Merlin dev
From what I understand the asuswrt-merlin certificate lacks valid ownership information.
Self-signed certificates do not have "ownership", they are self-signed...
 

XIII

Very Senior Member
It does work but letsencrypt renews the certificate on the router every 90 days. Thus making the one on your Ubuntu desktop break.
What do you mean with “the one on your Ubuntu desktop”?

The certificate for your router that changes every 90 days is only needed on your router.

On Ubuntu/Chrome you only need the Let’s Encrypt CA certificate (which does not change every 90 days).
 

Martinski

Senior Member
LetsEncrypt renews the certificate on the router by design at 90 day intervals. This cannot be changed.

It does work but letsencrypt renews the certificate on the router every 90 days.
My recollection was that "Let's Encrypt" certificates are normally set up to renew every 60 days (i.e. 30 days *before* expiration). So I went to double-check the certificates in a couple of ASUS routers, and each cert has in fact a renewal date of 30 days *before* expiration:

RT-AC86U_LE_CertDates.jpg


GT-AC5300_LE_CertDates.jpg


Granted, I haven't checked if indeed previous certificate renewals have happened exactly on the expected dates, so I could be wrong about when each renewal actually occurs; but I haven't had any renewal problems at all for a long time (about a couple of years, IIRC) so I very rarely check.

Based on the screenshot in your 1st post, you don't have a "Let's Encrypt" certificate in your own router. For those who happen to have such a certificate, these are the cmds you can use to check the relevant dates:
Bash:
DDNS_HOSTNAME="$(nvram get ddns_hostname_x)"
openssl x509 -dates -noout -in "/jffs/.le/${DDNS_HOSTNAME}/${DDNS_HOSTNAME}.cer"
grep -E "NextRenewTimeStr=|CertCreateTimeStr=" "/jffs/.le/${DDNS_HOSTNAME}/${DDNS_HOSTNAME}.conf"

Yes, I know this information doesn't answer or help your situation at all; but I thought it would be good to clarify a possible misunderstanding between a "Let's Encrypt" certificate validity period (90 days) & its renewal period (60 days).

Just my 2 cents.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top