-
-
Save davidbalbert/6815258 to your computer and use it in GitHub Desktop.
########################################### | |
# IMPORTANT NOTE: | |
# | |
# As of asuswrt-merlin 380.67 Beta, you | |
# can now configure SSL certificates from | |
# the Webui, making these instructions | |
# unnecessary. | |
########################################### | |
# First, enable SSH in the Administration->System tab. | |
# Then log in to the device. | |
# Verify that https_crt_save is off | |
admin@RT-N66U:/tmp/home/root# nvram get https_crt_save | |
0 | |
# Enable https_crt_save and verify that it was set correctly | |
admin@RT-N66U:/tmp/home/root# nvram set https_crt_save=1 | |
admin@RT-N66U:/tmp/home/root# nvram get https_crt_save | |
1 | |
# Write your custom key and certificate to the ephemeral file system. | |
# Note that these files will not be preserved on restart. | |
admin@RT-N66U:/tmp/home/root# cat >/etc/key.pem | |
# paste in key | |
admin@RT-N66U:/tmp/home/root# cat >/etc/cert.pem | |
# paste in cert | |
# Verify https_crt_file is empty | |
admin@RT-N66U:/tmp/home/root# nvram get https_crt_file | |
admin@RT-N66U:/tmp/home/root# | |
# Restart httpd. When httpd starts up with https_crt_save enabled, it does the | |
# following: If /etc/cert.pem and /etc/key.pem exist, it tars them together and | |
# saves them in https_crt_file. If they do not exist (this would be the case | |
# on reboot) and https_crt_file exists, httpd will extract the contents of | |
# https_crt_file. You can see how this works in the start_ssl function here: | |
# https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/httpd/httpd.c | |
admin@RT-N66U:/tmp/home/root# service restart_httpd | |
# Ensure https_crt_file is now full | |
admin@RT-N66U:/tmp/home/root# nvram get https_crt_file | |
# ...snip... | |
# Reboot AP to make sure cert is put back on boot | |
admin@RT-N66U:/tmp/home/root# reboot |
@cristit try with the Web ui first to confirm your key+cert is working., ref https://gist.github.com/davidbalbert/6815258?permalink_comment_id=4047785#gistcomment-4047785
I'm guessing you're hitting a length limit, were you trying to concatenate intermediate certificates into your leaf maybe?
thanks @jebeaudet!
https://router.mydomain.abc says the certificate is empty.
what is the size of the file, when you try to read it the https_crt_file using:
nvram get https_crt_file
From this thread it seems EC certificates are not accepted so only RSA. I've used RSA2048. Also, make sure you don't concatene intermediate certificate, the certificate uploaded should be the one given by acme, nothing more nothing less.
This! This turned out to be the problem for me, on stock firmware at least. When I generated my certificates with "--key-type rsa" with certbot, the below commands worked without any problems. I used the exact same commands before on Asusmerlin, and that worked with EC certificates. But I had to revert back to stock firmware, and tried to import my own certificates again, but it did not work. So I think that Merlin has implemented them, but Asus hasn't (yet). Could that be the case?
I am on the ZenWifi XT-8, but I imagine this also goes for the RT-N66U.
So in short:
Copy cert files to:
/jffs/.cert/cert.pem
/jffs/.cert/key.pem
Restart the service
service restart_httpd
Its been a while since I have been in the gist, but for anyone using a Lets Encrypt certificate this script below combined with the following acme.sh command gets a working internal certificate
acme.sh --home /jffs/acme.sh --issue -d example.com --dns dns_cf --debug --fullchain-file /etc/cert.pem --key-file /etc/key.pem --reloadcmd "/jffs/acme.sh/installcertificate.sh"
/jffs/acme.sh/installcertificate.sh
#!/bin/sh
tar -C / -czf /jffs/cert.tgz etc/cert.pem etc/key.pem
nvram set https_crt_save=1
service restart_httpd
I tried this method, but following error occurred:
nvramhttps_crt_file value length is bigger than allowed max length:1024
I'm using the last firmware version, but on ASUS GT-AX11000.
When I try to load the https page, the browser says the certificate is empty. Running command:
nvram get https_crt_file
The output is empty.
Is anybody still able to use his own certificate?