Skip to content

Instantly share code, notes, and snippets.

@davidbalbert

davidbalbert/gist:6815258

Last active February 29, 2024 16:12
Show Gist options
  • Star 80 You must be signed in to star a gist
  • Fork 13 You must be signed in to fork a gist
  • Save davidbalbert/6815258 to your computer and use it in GitHub Desktop.
Save davidbalbert/6815258 to your computer and use it in GitHub Desktop.
Download ZIP
How to install custom SSL certificates on an ASUS RT-N66U running asuswrt-merlin
Raw
gistfile1.txt
###########################################
# IMPORTANT NOTE:
#
# As of asuswrt-merlin 380.67 Beta, you
# can now configure SSL certificates from
# the Webui, making these instructions
# unnecessary.
###########################################
# First, enable SSH in the Administration->System tab.
# Then log in to the device.
# Verify that https_crt_save is off
admin@RT-N66U:/tmp/home/root# nvram get https_crt_save
0
# Enable https_crt_save and verify that it was set correctly
admin@RT-N66U:/tmp/home/root# nvram set https_crt_save=1
admin@RT-N66U:/tmp/home/root# nvram get https_crt_save
1
# Write your custom key and certificate to the ephemeral file system.
# Note that these files will not be preserved on restart.
admin@RT-N66U:/tmp/home/root# cat >/etc/key.pem
# paste in key
admin@RT-N66U:/tmp/home/root# cat >/etc/cert.pem
# paste in cert
# Verify https_crt_file is empty
admin@RT-N66U:/tmp/home/root# nvram get https_crt_file
admin@RT-N66U:/tmp/home/root#
# Restart httpd. When httpd starts up with https_crt_save enabled, it does the
# following: If /etc/cert.pem and /etc/key.pem exist, it tars them together and
# saves them in https_crt_file. If they do not exist (this would be the case
# on reboot) and https_crt_file exists, httpd will extract the contents of
# https_crt_file. You can see how this works in the start_ssl function here:
# https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/httpd/httpd.c
admin@RT-N66U:/tmp/home/root# service restart_httpd
# Ensure https_crt_file is now full
admin@RT-N66U:/tmp/home/root# nvram get https_crt_file
# ...snip...
# Reboot AP to make sure cert is put back on boot
admin@RT-N66U:/tmp/home/root# reboot
@cristit
Copy link

cristit commented Jan 15, 2023

According to the code as long as https_crt_save is set to 1 and https_crt_file is unset it should save, but for some reason It was refusing to save the certs to the nvram, I was able to manually save the file by:

tar -czf cert.tgz --transform 's,^,etc/,' cert.pem key.pem
echo $(cat cert.tgz | base64 | tr -d '\n')

And then copying this and pasting it into the router without newlines or spaces at the end (I couldnt paste into the command prompt as it would truncate)

vi /tmp/https_crt_file
nvram set https_crt_file=$(cat /tmp/https_crt_file)
nvram commit

(Updated to add the commit, I also had to unplug power to stop it saving and overwriting the work I had done to create the correct nvram) Also there is no need to save https certificates nvram set https_crt_save=0

I tried this method, but following error occurred:

nvramhttps_crt_file value length is bigger than allowed max length:1024

I'm using the last firmware version, but on ASUS GT-AX11000.

When I try to load the https page, the browser says the certificate is empty. Running command:

nvram get https_crt_file

The output is empty.

Is anybody still able to use his own certificate?

@jebeaudet
Copy link

jebeaudet commented Jan 15, 2023
edited

@cristit try with the Web ui first to confirm your key+cert is working., ref https://gist.github.com/davidbalbert/6815258?permalink_comment_id=4047785#gistcomment-4047785

I'm guessing you're hitting a length limit, were you trying to concatenate intermediate certificates into your leaf maybe?

@cristit
Copy link

cristit commented Jan 15, 2023
edited

thanks @jebeaudet!

https://router.mydomain.abc says the certificate is empty.

what is the size of the file, when you try to read it the https_crt_file using:

nvram get https_crt_file

@vincentkoevoets
Copy link

vincentkoevoets commented Mar 16, 2023
edited

From this thread it seems EC certificates are not accepted so only RSA. I've used RSA2048. Also, make sure you don't concatene intermediate certificate, the certificate uploaded should be the one given by acme, nothing more nothing less.

This! This turned out to be the problem for me, on stock firmware at least. When I generated my certificates with "--key-type rsa" with certbot, the below commands worked without any problems. I used the exact same commands before on Asusmerlin, and that worked with EC certificates. But I had to revert back to stock firmware, and tried to import my own certificates again, but it did not work. So I think that Merlin has implemented them, but Asus hasn't (yet). Could that be the case?
I am on the ZenWifi XT-8, but I imagine this also goes for the RT-N66U.

So in short:
Copy cert files to:
/jffs/.cert/cert.pem
/jffs/.cert/key.pem
Restart the service
service restart_httpd

@sparky3387
Copy link

sparky3387 commented Aug 21, 2023
edited

Its been a while since I have been in the gist, but for anyone using a Lets Encrypt certificate this script below combined with the following acme.sh command gets a working internal certificate
acme.sh --home /jffs/acme.sh --issue -d example.com --dns dns_cf --debug --fullchain-file /etc/cert.pem --key-file /etc/key.pem --reloadcmd "/jffs/acme.sh/installcertificate.sh"

/jffs/acme.sh/installcertificate.sh

#!/bin/sh
tar -C / -czf /jffs/cert.tgz etc/cert.pem etc/key.pem
nvram set https_crt_save=1
service restart_httpd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment