Solved [SOLUTION] Let’s Encrypt + DDNS/WAN Admin Domain Certificate Expired / not auto-renewed

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Phantomski

Occasional Visitor
Hi everyone,

I’ve tried to find a similar problem to mine and despite going through few threads I couldn’t find a step by step guide, so apologies if all this was published elsewhere.
Also, thanks @RMerlin for clarifying the issue on GitHub - thank you btw SO much for all the hard work on this amazing custom fw. You’ve solved so many home network challenges for me.

The problem:
- Let’s Encrypt certificate used to verify domain SSL access used for DDNS and WAN webui admin doesn’t get auto renewed before and after expiry
- Let’s Encrypt code, while using acme.sh, is unfortunately closed source, so unavailable for change in Merlin’s fw.
- Manual certificate renewal also fails, most likely (my guess looking at the log) because it’s using port 80 for ACME HTTP-01 token challenge, which obviously fails, as the port 80 is not (wisely) available, even if you enable WAN access.

The solution [RT-AC88U / 384.18 fw]:
- Manually renewing the certificate using latest acme.sh ACME Shell Script and setting up cron auto renewal using this script

Steps:
1. Enable SSH access in webui Administration/System/Service. I suggest “LAN only” and change SSH port to something else than 22, password login would be fine at this point unless you want to play with keys.

2. SSH into your router.
Either from linux by:
ssh [email protected]_router_address -p your_chosen_port
or using your favourite SSH capable terminal like PuTTY or Win10’s Windows Terminal

3. Install acme.sh from GitHub Repository either by:
curl https://get.acme.sh | sh or wget -O - https://get.acme.sh | sh
and then:
acme.sh --install
This will complete all necessary steps, including the cron auto renewal job install and aliases setup.

4. Open the port 443 for incoming connections (see Q1 below)

5. Manually issue a new certificate by:
acme.sh --issue --alpn -d example.com
(I prefer to use standalone --alpn mode on port 443 as it doesn’t matter which http server are you using on your router)

6. Copy generated certificates to their location (see Q2 below) and reload webui httpd service - this is necessary step
acme.sh --install-cert -d example.com --cert-file /tmp/etc/cert.pem --key-file /tmp/etc/key.pem --reloadcmd "service restart_httpd"

7. Disable port 443 access again

8. Check certificate is renewed in webui:
- WAN/DDNS/Webui SSL Certificate and
- Administration/System/Local Access Config

Now, I have a few questions, just to make sure:

Q1
- being a newb, I couldn’t find an easier way to enable port 443 for incoming connections, than temporarily disabling firewall (webui Firewall/General) for the certificate renewal duration. I’m sure there’s probably an easier way from shell, I’m open to much more secure suggestions.

Q2 - I not sure if /temp/etc is the only location for the certificates. Reading around the forums, it might be just temporary location, so they might get lost after reboot. I couldn’t find a permanent location, perhaps /rom/etc/ssl/certs/ ?

Sources:
[1] acme.sh ACME Shell GitHub repository
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top