What's new

[384.12_Alpha - builds] Testing all variants.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
Does anyone know an answer to my question about making the Certificate of the HTTPS Local Access more permanent?

I searched the forum, but found no answer..

Dont know if this can be of help, Kvic`s pixelserv-tls can create cert for the router, That how i did ;)
edit:
From RMerlin`s wiki
 
Last edited:
  • Like
Reactions: MDM
Thank you guys for the answers, so I guess there isn't a method for the router to make a permanent one on its own, I must do it instead.
I hoped it could be remedied by RMerlin or other simpler and quicker way, so then a little effort is in order... :)
 
https://www.snbforums.com/threads/384-12_alpha-builds-testing-all-variants.56639/page-11#post-493386

As an update to my post above, I have now tested all possible scenarios with Connect to DNS Server Automatically (using ISP's or CloudFlare DNS servers) and Use local caching DNS Server (in Other Settings) set either to Yes or No.

By far, on my Fibre 1Gbps up/down symmetrical connection, the best combination is 'No' and using the CloudFlare DNS servers and 'Yes' for Use local caching. The page load times are noticeably faster than any other combination I tried. I feel like I'm 'surfing' the net like a 19-year-old, so fast and limber. :)


View attachment 17812 View attachment 17813
View attachment 17814
I’m on 400/20 and using Cloudflare DNS as well. I use the same settings you posted, minus ‘Use local caching DNS Server’ is set to No. I seriously can’t tell a difference between Yes and No. Pages load very quickly regardless of which setting is used. I like the ‘safer and more reliable’ comment in the commit in regards to DNS Privacy and the new default, so I will keep it set to No. Though I can see changing that setting, if there’s an issue with a particular configuration. Maybe your configuration benefits from setting it to Yes?
 
I know I can use the DDNS page, but that still isn't automatic, and above all I have no need to let DDNS enabled..
You should be able to generate a certificate from the ddns page. I don't see why that wouldn't be permanent.
OK this works, even after reboots it sticks! Thanks! :cool:

Did not expect that, I thought you needed to use "Enable the DDNS Client" and leave it ON and use the option "Free Certificate from Let's Encrypt"...
Obviously all that is needed is to enable "Import/Persistent Auto-generated" and click apply (with "Generate a new certificate" set to "Yes").
Annotation 2019-05-27 125802.png


But I am now confused, why does the router itself not enable this option after enabling HTTPS LAN access. I always wondered why it even links you to the DDNS page "Click here to manage.", while there was nothing to manage there.
It is weird the router does not set this on its own, it would ease the life of many.

Is it possible to implement in the FW to automate this process, so that it does it automatically after choosing the HTTPS option (or BOTH) in Authentication Method?
 
I don't use benchmark tools. :)

We're in total agreement there.

I also agree that the images won't be on different sites either. But my issue and at least one other person was that originally, checking for updates in amtm was taking 2 minutes or more (for 8 scripts including amtm).

Thank you for the additional information, but this is the best set up as-is. All websites load as they should, no issues at all. The extra responsiveness is just a bonus I don't want to forgo right now. :)
Do you have AiProtection enabled? I’m just wondering if the “wred” process on the router was generating DNS requests to the TrendMicro servers while you were using the ISP DNS servers that were slow or timing out. These would be impacted by the setting, and since you’re very certain of the speed difference there has to be an explanation somewhere.
 
Somewhat amusingly, I just had a problem related to both certificates and the local DNS resolver setting. My certificate just updated but a printer was still using the outdated one because the script to update it used the host name instead of IP, which now doesn't resolve.

I doubt many people will face similar issues, but I think I'll leave it set to Yes and set the time servers in dnsmasq.postconf to use the ISP DNS directly instead of going through stubby.
Code:
#!/bin/sh

if [ "$(nvram get dns_local_cache)" = "1" ]; then
    {
        NTPSERVERS=""
        for VAR in 0 1; do
            NTP="$(nvram get "ntp_server$VAR")"
            [ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP"
        done
        [ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org"
        for DNS in $(nvram get wan_dns); do
            echo "server=$NTPSERVERS/$DNS"
        done
        for VAR in 1 2 3; do
            DNS="$(nvram get "ipv6_dns$VAR")"
            [ -n "$DNS" ] && echo "server=$NTPSERVERS/$DNS"
        done
    } >> "$1"
fi

EDIT: Removed dnspriv_enable check since toggling it reloads dnsmasq, not restarts it.
 
Last edited:
Do you have AiProtection enabled? I’m just wondering if the “wred” process on the router was generating DNS requests to the TrendMicro servers while you were using the ISP DNS servers that were slow or timing out. These would be impacted by the setting, and since you’re very certain of the speed difference there has to be an explanation somewhere.

No, right now and for the past few days (week?), I have had AiProtection disabled.
 
This is how I enabled HTTPS on port 8443 log in: https://github.com/kvic-z/pixelserv-tls/wiki/[ASUSWRT]-Use-Pixelserv-CA-to-issue-a-certificate-for-WebGUI

I ran that once and it has been perminate ever since. Note that I did run Diversion first so that way a certificate was already created for me when Diversion installed Pixelserv.

I ran the helper script and get this error:
-sh: $: not found

Not sure if I'm missing something or not seeing if I'm supposed to put a local data set in there in place of the $
 
I ran the helper script and get this error:
-sh: $: not found

Not sure if I'm missing something or not seeing if I'm supposed to put a local data set in there in place of the $
Try without $
Code:
sh -c "$(wget -qO - https://kazoo.ga/pixelserv-tls/config-webgui.sh)"
 
I know I can use the DDNS page, but that still isn't automatic, and above all I have no need to let DDNS enabled..

OK this works, even after reboots it sticks! Thanks! :cool:

Did not expect that, I thought you needed to use "Enable the DDNS Client" and leave it ON and use the option "Free Certificate from Let's Encrypt"...
Obviously all that is needed is to enable "Import/Persistent Auto-generated" and click apply (with "Generate a new certificate" set to "Yes").
View attachment 17864

But I am now confused, why does the router itself not enable this option after enabling HTTPS LAN access. I always wondered why it even links you to the DDNS page "Click here to manage.", while there was nothing to manage there.
It is weird the router does not set this on its own, it would ease the life of many.

Is it possible to implement in the FW to automate this process, so that it does it automatically after choosing the HTTPS option (or BOTH) in Authentication Method?
While this works perfectly with Chrome, I can’t get it to work with Firefox.
 
While this works perfectly with Chrome, I can’t get it to work with Firefox.
It is precisely with Firefox its working! (as with IE and Edge)
Although in Firefox I still have the yellow "!" triangle but who cares (because FF does not "trust" local personal Certificates by design even when added as exception), at least now it does work after a reboot.

The issue I had was that after several reboots, and adding exceptions, the "cert8.db" gets corrupted, and I had to restore the file from backup (or delete it), which started being annoying...
 
Last edited:
It is precisely with Firefox its working! (as with IE and Edge)
Although in Firefox I still have the yellow "!" triangle but who cares (because FF does not "trust" personal Certificates by design even when added as exception), at least now it does work after a reboot.

The issue I had was that after several reboots, and adding exceptions, the "cert8.db" gets corrupted, and I had to restore the file from backup (or delete it), which stated being annoying...
After importing the cert file into Chrome, I get a solid padlock beside the URL when logging into my router. When I import the cert into Firefox, I get the same as you do. Now when I use Kvics script and import the certs into Chrome or Firefox I get a solid padlock on both. Green for Firefox when logging into my router.
 
After importing the cert file into Chrome, I get a solid padlock beside the URL when logging into my router. When I import the cert into Firefox, I get the same as you do. Now when I use Kvics script and import the certs into Chrome or Firefox I get a solid padlock on both. Green for Firefox when logging into my router.
A lot, or too much work only to see a "solid padlock", couldn't care less if it works without bugging me. :)
But I do get a solid padlock in IE and Edge..
 
Status
Not open for further replies.

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top