What's new

Solved webgui SSL certificate install script

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

sarmenator

Occasional Visitor
Can someone please point me to the correct script I can use to update the webgui certificate when I am using the import your own option

Background:
I am using a downloaded acme.sh script to issue custom letsencrypt certificates for my router with multiple SANs and wildcards. I have a script that installs the .key and .crt files in a folder inside jffs. I am looking for the correct commands to copy them to the right location and proper NVRAM variables to toggle to get the FW to use them. Then, I can use the script as part of my renew command script. I found below script but it does not seem to be working or is outdated



Are these steps correct or missing things?
  1. Copy cert files to:
    /jffs/.cert/cert.pem
    /jffs/.cert/key.pem
  2. Restart the service
    service restart_httpd
I am running 386.3_2 on ax86u

Thanks in Advance!
 
This is the script Im tweaking for your reference

#!/bin/sh
nvram set https_crt_save=0
rm /etc/key.pem && rm /etc/cert.pem
rm /jffs/.cert/cert.pem && rm /jffs/.cert/key.pem
cp -f /jffs/my_certs/cert.crt /jffs/.cert/cert.pem
cp -f /jffs/my_certs/cert.key /jffs/.cert/key.pem
nvram set le_enable=2
nvram set https_crt_save=1
nvram set https_crt_file=""
service restart_httpd
nvram commit
 
If you've already set your router to use a custom certificate, you don't need to set any nvram values. There's also some variables set by acme which can make it a bit easier.

Bash:
#!/bin/sh

# Preset variables
# CERT_PATH
# CA_CERT_PATH
# CERT_FULLCHAIN_PATH
# CERT_KEY_PATH
# Le_Domain

# Check the certificate is for the right domain, replace example.com with your own
if [ "$Le_Domain" = 'example.com' ]; then
    logger -t 'acme' "running reload script ($0)"

    # Copy the files to where the webgui uses them
    cp -f "$CERT_FULLCHAIN_PATH" '/jffs/.cert/cert.pem'
    cp -f "$CERT_KEY_PATH" '/jffs/.cert/key.pem'

    # Restart the webgui
    service restart_httpd
fi

The other option is to just set acme to do everything using the command line options
Bash:
--fullchain-file '/jffs/.cert/cert.pem' --key-file '/jffs/.cert/key.pem' --reloadcmd 'service restart_httpd'
 
Last edited:
Thanks! This is great info.
just to confirm if I go the acme command line option, I should use them with my —install-cert command correct?
 
Actually, after looking through the code you might want to use --reloadcmd instead. It can be used with either --install-cert or --issue and runs after success, while --renew-hook can only be used with --issue and only runs on renewal (so not the first certificate request).
 
Thanks! I switched to --reloadcmd. Still calling another script instead of just restarting web server so I can add customization if needed later.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top