Solved webgui SSL certificate install script

sarmenator

Occasional Visitor
Can someone please point me to the correct script I can use to update the webgui certificate when I am using the import your own option

Background:
I am using a downloaded acme.sh script to issue custom letsencrypt certificates for my router with multiple SANs and wildcards. I have a script that installs the .key and .crt files in a folder inside jffs. I am looking for the correct commands to copy them to the right location and proper NVRAM variables to toggle to get the FW to use them. Then, I can use the script as part of my renew command script. I found below script but it does not seem to be working or is outdated



Are these steps correct or missing things?
  1. Copy cert files to:
    /jffs/.cert/cert.pem
    /jffs/.cert/key.pem
  2. Restart the service
    service restart_httpd
I am running 386.3_2 on ax86u

Thanks in Advance!
 

sarmenator

Occasional Visitor
This is the script Im tweaking for your reference

#!/bin/sh
nvram set https_crt_save=0
rm /etc/key.pem && rm /etc/cert.pem
rm /jffs/.cert/cert.pem && rm /jffs/.cert/key.pem
cp -f /jffs/my_certs/cert.crt /jffs/.cert/cert.pem
cp -f /jffs/my_certs/cert.key /jffs/.cert/key.pem
nvram set le_enable=2
nvram set https_crt_save=1
nvram set https_crt_file=""
service restart_httpd
nvram commit
 

Dabombber

Senior Member
If you've already set your router to use a custom certificate, you don't need to set any nvram values. There's also some variables set by acme which can make it a bit easier.

Bash:
#!/bin/sh

# Preset variables
# CERT_PATH
# CA_CERT_PATH
# CERT_FULLCHAIN_PATH
# CERT_KEY_PATH
# Le_Domain

# Check the certificate is for the right domain, replace example.com with your own
if [ "$Le_Domain" = 'example.com' ]; then
    logger -t 'acme' "running reload script ($0)"

    # Copy the files to where the webgui uses them
    cp -f "$CERT_FULLCHAIN_PATH" '/jffs/.cert/cert.pem'
    cp -f "$CERT_KEY_PATH" '/jffs/.cert/key.pem'

    # Restart the webgui
    service restart_httpd
fi

The other option is to just set acme to do everything using the command line options
Bash:
--fullchain-file '/jffs/.cert/cert.pem' --key-file '/jffs/.cert/key.pem' --reloadcmd 'service restart_httpd'
 
Last edited:

sarmenator

Occasional Visitor
Thanks! This is great info.
just to confirm if I go the acme command line option, I should use them with my —install-cert command correct?
 

Dabombber

Senior Member
Actually, after looking through the code you might want to use --reloadcmd instead. It can be used with either --install-cert or --issue and runs after success, while --renew-hook can only be used with --issue and only runs on renewal (so not the first certificate request).
 

sarmenator

Occasional Visitor
Thanks! I switched to --reloadcmd. Still calling another script instead of just restarting web server so I can add customization if needed later.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top