Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@adorobis

adorobis/makerouter.sh

Forked from davidbalbert/gist:6815258
Last active January 9, 2022 04:29
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save adorobis/d05483a012b0f44286df886f773b5fe9 to your computer and use it in GitHub Desktop.
Save adorobis/d05483a012b0f44286df886f773b5fe9 to your computer and use it in GitHub Desktop.
Download ZIP
How to install custom SSL certificates on an ASUS RT-N66U running asuswrt-merlin
Raw
gistfile1.txt
###########################################
# IMPORTANT NOTE:
#
# As of asuswrt-merlin 380.67 Beta, you
# can now configure SSL certificates from
# the Webui, making these instructions
# unnecessary.
###########################################
# First, enable SSH in the Administration->System tab.
# Then log in to the device.
# Verify that https_crt_save is off
admin@RT-N66U:/tmp/home/root# nvram get https_crt_save
0
# Enable https_crt_save and verify that it was set correctly
admin@RT-N66U:/tmp/home/root# nvram set https_crt_save=1
admin@RT-N66U:/tmp/home/root# nvram get https_crt_save
1
# Write your custom key and certificate to the ephemeral file system.
# Note that these files will not be preserved on restart.
admin@RT-N66U:/tmp/home/root# cat >/etc/key.pem
# paste in key
admin@RT-N66U:/tmp/home/root# cat >/etc/cert.pem
# paste in cert
# Verify https_crt_file is empty
admin@RT-N66U:/tmp/home/root# nvram get https_crt_file
admin@RT-N66U:/tmp/home/root#
# Restart httpd. When httpd starts up with https_crt_save enabled, it does the
# following: If /etc/cert.pem and /etc/key.pem exist, it tars them together and
# saves them in https_crt_file. If they do not exist (this would be the case
# on reboot) and https_crt_file exists, httpd will extract the contents of
# https_crt_file. You can see how this works in the start_ssl function here:
# https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/httpd/httpd.c
admin@RT-N66U:/tmp/home/root# service restart_httpd
# Ensure https_crt_file is now full
admin@RT-N66U:/tmp/home/root# nvram get https_crt_file
# ...snip...
# Reboot AP to make sure cert is put back on boot
admin@RT-N66U:/tmp/home/root# reboot
Raw
makerouter.sh
#!/bin/sh
rm ~/router.sh
#below section will create a single script that will be executed remotely on the router
cat <<EOT >> router.sh
#!/bin/sh
cd /etc
ls *.pem
rm *.pem
nvram set https_crt_save=0
nvram unset https_crt_file
service restart_httpd
echo "httpd restarted"
nvram unset https_crt_file
service restart_httpd
echo "httpd restarted"
nvram get https_crt_file
#files are getting recreated after httpd restart
sleep 20
ls *.pem
rm *.pem
nvram set https_crt_save=1
#replace letsencrypt.crt and .key files with your respective files
cat <<EOT >> cert.pem
EOT
cat /etc/certificates/letsencrypt.crt >> router.sh
#for some reason my letsencrypt.crt file is not finishing with end of line character, might not be always the case
echo "" >> router.sh
echo "EOT" >> router.sh
cat <<EOT >> router.sh
cat <<EOT >> key.pem
EOT
cat /etc/certificates/letsencrypt.key >> router.sh
echo "EOT" >> router.sh
cat <<EOT >> router.sh
rm server.pem
#create the server.pem file from the certificate and key files
cat key.pem > server.pem
cat cert.pem >> server.pem
service restart_httpd
nvram get https_crt_file
EOT
#execute the script remotely on the router. Replace privatekey.pem with your private key you have
#created to access the router. Replace admin with correct user id and IP address with your router's IP address
cat router.sh | ssh -o StrictHostKeyChecking=no \
-p 4092 -i privatekey.pem admin@10.144.1.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment