FestiveFuneral
New Around Here
I have a webserver on my network that is provisioned with an ACME client which connects to LetEncrypt and maintains its own TLS certificate. Because the server binds to ports 80/443 on my IP, I can't have the router getting its own certificates (correct me if I'm wrong) through an ACME challenge as provided out of the box.
I would like to use the same DDNS and same TLS certificates on the router. I have mounted a samba share which has the certificates, and I have written a /jffs/scripts/ddns-start script which copies them (to /etc/key.pem and /etc/cert.pem) and calls /sbin/ddns_custom_updated 1. To be honest, I think this actually used to work, until recently. I haven't done anything other than reboot the router.
I have configured my firmware as follows:
However, when I hit the server, it gives me an old certificate that expired in April. As I said, I'm pretty damn sure this used to work, so it's not surprising there's SOME LetsEncrypt cert on there.
I would expect that since I have Server: Custom, that the firmware doesn't try to do any ACME challenges itself and should just use the certs I provide.However, in the logs, I see that it is trying to do ACME http challenges on port 80, which goes to my webserver instead.
What would be the correct solution for me?
Other notes:
I would like to use the same DDNS and same TLS certificates on the router. I have mounted a samba share which has the certificates, and I have written a /jffs/scripts/ddns-start script which copies them (to /etc/key.pem and /etc/cert.pem) and calls /sbin/ddns_custom_updated 1. To be honest, I think this actually used to work, until recently. I haven't done anything other than reboot the router.
I have configured my firmware as follows:
- Advanced Settings > WAN > DDNS
- DDNS Service
- Enabled
- DDNS Status : Registration successful
- Server: Custom
- Host: my.domain
- Forced update: 21 days
- Webui SSL Certificate
- HTTP/SSL Certificate: Free Certificate from Let's Encrypt
- Server Certificate:
- Status: OK
- Issued to: my.domain
- Issued By: Let's Encrypt
- Expires on: the future
- DDNS Service
However, when I hit the server, it gives me an old certificate that expired in April. As I said, I'm pretty damn sure this used to work, so it's not surprising there's SOME LetsEncrypt cert on there.
I would expect that since I have Server: Custom, that the firmware doesn't try to do any ACME challenges itself and should just use the certs I provide.However, in the logs, I see that it is trying to do ACME http challenges on port 80, which goes to my webserver instead.
What would be the correct solution for me?
Other notes:
- If I select NONE instead of Free Cert from Let's Encrypt, I get a default self-signed one (expected, I guess). And when I go back to the original setting, the expired cert comes up (don't know where it even gets it from at that point)
- If i manually verify the cert in /etc/cert.pem, it is correct
- I understand that the dns-start script is for updating my ip with an external service, but it seems more practical to handle it here than starting a separate cron job. This doesn't seem to be the problem in and of itself, because the web ui does reflect the updated certificate in the settings, it is just refusing to SERVE that certificate. I would run into the same issue if I were trying to do this manually or with cron
Last edited: