RT-AC88U how to repair bad certs preventing web server from running - using command line

ags

Regular Contributor
I posted separately about not being able to access the router web interface after I had updated the certificates. Further research provided some clues. It looks like the certificates are bad, and the server daemon tries to start periodically but crashes due to the bad certs. Seems like the next step is to locate the certificates, remove them, and restart the server. I believe the web server is lighttpd. I've searched and found several certs. I tried removing some but they were immediately replaced. Can anyone provide guidance on what lighttpd startup configuration is, and/or now to locate and disable/remove the certs to get around this problem?

Log entries below:

Dec 10 11:12:42 rc_service: watchdog 424:notify_rc stop_httpd
Dec 10 11:12:42 rc_service: watchdog 424:notify_rc start_httpd
Dec 10 11:12:42 RT-AC88U: start https:8443
Dec 10 11:12:42 RT-AC88U: start httpd:80
Dec 10 11:12:43 httpd: Failed to initialize SSL, generating new key/cert...80
Dec 10 11:12:43 httpd: Save SSL certificate...80
Dec 10 11:12:43 httpd: Failed to initialize SSL, generating new key/cert...80
Dec 10 11:12:43 httpd: Unable to start in SSL mode, exiting! 80
Dec 10 11:12:43 httpd: Save SSL certificate...8443
Dec 10 11:12:43 httpd: Failed to initialize SSL, generating new key/cert...8443
Dec 10 11:12:43 httpd: Save SSL certificate...8443
Dec 10 11:12:43 httpd: Failed to initialize SSL, generating new key/cert...8443
Dec 10 11:12:43 httpd: Unable to start in SSL mode, exiting! 8443
 

RMerlin

Asuswrt-Merlin dev
Make sure you don`t use EC certificates if you provide your own, they aren't supported. Use standard RSA.
 

ags

Regular Contributor
I used the same type certs from Let's Encrypt as worked before for me (I have to upload them manually since my ISP blocks port 80 and the automatic system doesn't work).

Do you know where those certs are located on the router file system so can delete them? I am hoping that would allow me to restart lighttpd so I can then use the web interface to upload correct certs.
 

RMerlin

Asuswrt-Merlin dev
/jffs/.cert/

BTW, the router uses a proprietary httpd daemon. Lighttpd is only used for AiCloud.
 
  • Like
Reactions: ags

ags

Regular Contributor
Thanks RMerlin!! That was the ticket. I replaced the cert.key and the server restarted and I'm up again.

I think I may just use this method to update the certs. When I last tried using the web/UI, I had problems (and ultimately corrupted them and crashed the server). I don't use DDNS, but I have to enable it to get the interface to update the certs. But that doesn't seem to work -- after a reboot, the old certs remain loaded. I don't know if anyone else has seen and/or reported this problem.


I was wondering why the log showed httpd not lighttpd.

/jffs/.cert/

BTW, the router uses a proprietary httpd daemon. Lighttpd is only used for AiCloud.
 

RMerlin

Asuswrt-Merlin dev
I was wondering why the log showed httpd not lighttpd.
As I said above, the web interface does not use lighttpd, it uses a proprietary daemon simply called httpd.
 

ags

Regular Contributor
Exactly - I was offering that what you said explained why I saw httpd instead of lighttpd in the logs...

Now I have a new problem - the root and intermediate certs are expired. Can I just concatenate them into the single file (/jffs/.cert/cert.pem) or do I need to install that somewhere else (different directory or file (e.g. ca.pem))? [if concatenating into a single file, does order of certs matter (e.g. "top down" starting from root to intermediate to local?)

As I said above, the web interface does not use lighttpd, it uses a proprietary daemon simply called httpd.
 

RMerlin

Asuswrt-Merlin dev
I doubt that concatenating will work. You might need to upgrade to a newer firmware that contains an updated root certificate list (no idea how up to date Asus keeps it in their firmware).
 

ags

Regular Contributor
I updated to the latest firmware (3.0.0.4.386_45987) and it did not include updated root certs. My cert is valid but the intermediate (R3) and root (DST Root CA X3) are expired. My cert is from R3 but on my NAS I was able to update the "chain" with a new R3 cert issued by ISRG Root X1. I've read this expiration was a problem for many. There must be a way to update the router...

I did find that in addition to the /jffs/.cert directory, there is a /jffs/.le/<domain name> directory which I believe is for Let's Encrypt. It contains files named chain.pem, fullchain.pem, fullchain.cer and ca.cer. I can't figure out how these may be used or interact with the cert I added to /jffs/.cert to fix my original problem (corrupted cert when uploading using the web UI).

Any suggestions?
 

L&LD

Part of the Furniture
Does a full reset to factory defaults not give you updated certificates?
 

ags

Regular Contributor
I updated to the latest firmware, thinking if there were updated certs they'd be included.

I would use the web interface for uploading certs, but that seems to not work properly (particularly since I have a non-public (private) WAN address, my ISP blocks port 80, and I don't use DDNS).

I am avoiding a factory reset, as every time I've done that in the past it's been days, if not weeks, before I had things working as intended. I understand that's not a popular statement/position here.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top