AX 88U how to fix / update ssl certificate error

[QuozL]

Looking for advice on how to update / fix the SSL certificate with my AX88U running Merlin 386.8

Today I went to login to https://router.asus.com:8443/Main_Login.asp and got a Chrome warning the certificate was invalid.

I set up the 88U with SSL around 10 months ago if I remember correctly and I saved a copy of the certificate in a folder I keep all my router stuff in and upon checking it it says it is valid until 05/05/2028 so I've no idea why I'm getting the invalid certificate error from Chrome. Checked on another PC and got the login certificate error there as well.

I was able to login by bypassing the advanced security feature in Chrome and entering the Ip of the router and once logged in went to the Admin section and changed the Local Access Config login method to HTTP from HTTPS. The router doesn't have remote access enabled and I don't need to access it remotely so I'm fairly confident I'm as safe as I can be.

Anyway ideally I would like to be able to update / fix the certificate and reenable https access but I'm buggered if I can figure out how to do that. If I try and re enable https access will I be locked out of the router?

I tried changing it back to https to create a new one but wasn't keen on clicking apply and getting logged out and not being able to get back in so I don't get an Export button to export a new certificate as per these instructions https://www.asus.com/us/support/FAQ/1034294 and I'm also unsure if you can just create and install a new certificate over an old one.

As I said I have a copy of the original certificate I created so I could just click on install and reinstall it if that will work.

I'm also not adverse to just running it in HTTP mode as like i said I don't need to access it remotely.

Finally in the Administration/System/Local Access Config/Authentication section I can choose between HTTP, HTTPS and Default. Can anyone advise what type of Authentication is enabled if you select Default? Is it both HTTP and HTTPS when using Default? If it is I could enable that and at least be able to get back in if reinstalling the original certificate doesn't work?

Any help / advice on how to move forward appreciated.

Cheers QuozL

 

[L&LD]

You're not really as safe as you may think. Consider updating to 386.7_2 first, before tackling that certificate issue.

 

[ColinTaylor]

You're not really as safe as you may think. Consider updating to 386.7_2 first, before tackling that certificate issue.

How is 386.7_2 an "update" from the 386.8 that he currently has installed?

 

[ColinTaylor]

@QuozL Your post still has the embedded links to your original whirlpool post: https://forums.whirlpool.net.au/thread/3272x4m9?p=105#r2094

Enable both HTTP and HTTPS (as shown in the FAQ), that way if you have problems after setting up the certificate you can always get in via HTTP. You can always disable HTTP once it's working.

Yes you can overwrite the old certificate with the new one. Once you've installed the new certificate you can delete the old one from the PC.

 

[RMinNJ]

I tried to set up https on my AX86U..asus firmware.. i know not related. Using the export the certifcate from the adminUI and import to my browser (chrome).

Trying to connect https on 8443 it doesn't like the asus certificate ..given from the firmware? It does not look like something chrome and firefox should like:

NET::ERR_CERT_INVALID from chrome.

MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY from firefox.

Common Name (CN) router.asus.com
Organization (O) <Not Part Of Certificate>
Organizational Unit (OU) <Not Part Of Certificate>
Issued On Saturday, May 5, 2018 at 1:05:16 AM
Expires On Friday, May 5, 2028 at 1:05:16 AM

For all the diagrams and arrows asus has for the procedure it was basically saying put
the asus exported certificate in as a trusted authority.. chrome would not have it and gave encryption errors on the exception, firefox allowed the exception going forward but marks it insecure in the browser bar.

 

[ColinTaylor]

Issued On Saturday, May 5, 2018 at 1:05:16 AM

Your router didn't have the correct date set when you created the certificate.

 

[RMinNJ]

That's an interesting thing..the date..ill checking it again. I have a yellow warning by the time zone in the firmware but it looks correct with my computer which is correct.

 

[QuozL]

@QuozL Your post still has the embedded links to your original whirlpool post: https://forums.whirlpool.net.au/thread/3272x4m9?p=105#r2094

Enable both HTTP and HTTPS (as shown in the FAQ), that way if you have problems after setting up the certificate you can always get in via HTTP. You can always disable HTTP once it's working.

Yes you can overwrite the old certificate with the new one.

Thanks Colin, removed the embedded whirlpool part to the links.

I'm assuming to enable both HTTP and HTTPS I select Default from the drop down in the Administration/System/Local Access Config/Authentication section, as I don't have a BOTH option in that drop down where the FAQ says to select it.

Cheers

 

[ColinTaylor]

I'm assuming to enable both HTTP and HTTPS I select Default from the drop down in the Administration/System/Local Access Config/Authentication section, as I don't have a BOTH option in that drop down where the FAQ says to select it.

That's strange. Yes that's the place but I've never seen a "Default" option there.

Looking at the source code it looks like "BOTH" is called "Default" for regions AA and SG.

 

[QuozL]

That's strange. Yes that's the place but I've never seen a "Default" option there.

Looking at the source code it looks like "BOTH" is called "Default" for regions AA and SG.

No worries I'll change it to Default and then recreate the certificate and try and login using HTTPS and see if that works, at least if it doesn't I can still get in using HTTP.

No idea about the region thing, I bought the router from uMart here in Brisbane so would assume it's Australian stock.

Cheers for the help

 

[QuozL]

That's strange. Yes that's the place but I've never seen a "Default" option there.

Looking at the source code it looks like "BOTH" is called "Default" for regions AA and SG.

Colin which section should I create the certificate from in the attached image?

If I select "Local Access Config" and then choose "click here to manage" it takes me to the WAN DDNS page where I can generate a cert but it creates a cert.pem and key.pem files where previously when I first setup Https access in January the cert created was was a cert.crt

Should I be selecting Export under the Service section and creating the key there as that one does create a cert.crt file ?

 

[ColinTaylor]

Go to the WAN DDNS page and set Generate a new certificate to Yes and Apply. Then Export the new certificate. Extract the cert.pem file and import it into your PC.

cert.pem and cert.crt are copies of the same file. When you export the SSH certificate it calls it cert.crt. So you can change the extension to .crt to makes things easier if you want to.

Correction to my previous post: When you install the new certificate it doesn't overwrite the old one. You have to remove to old one manually.

 

[QuozL]

Can't get it to work, no idea wtf I am doing wrong, copied instructions exactly, exported cert_key.tar from the router, extracted it and open certmngr and imported cert.pem to Trusted Certification Authorities / Certificates. Said it imported correctly but if I open certmgr I have no cert for 192.168.1.1 the only cert I have that is related is router.asus.com with an expiration date of 5/5/28

If I try and enable https / both on the router I get invalid certificate msg still from chrome so it obviously hasn't worked.

Not sure if something has been changed with the latest version of Chrome or the latest 386.8 firmware but haven't had issue with HTTPS since enabling it in January. Most recent login to router sucessfully using HTTPS would have been last week until today when this cert error manifested itself. Anyway not going to waste anymore of your time, I'll leave it as HTTP for now as I said previously external access is disabled and the router is only at home so noone else has access to the network. Appreciate your help, it;s got me stumped.

Cheers QuozL

 

[L&LD]

How is 386.7_2 an "update" from the 386.8 that he currently has installed?

Was the post edited after I replied?

 

[QuozL]

Was the post edited after I replied?

No it wasn't edited after you replied, I posted I was using 386.8 in the original post, it was edited to remove some embedded links I left in it.

 

[L&LD]

Thanks, @QuozL.

No worries, a swing and a miss. That won't stop me continue trying.

 

[lepicane]

@QuozL

Had same problem with Chrome but not MS Edge. Seems to be a recent change to Chrome and a temporary solution is available here https://support.google.com/chrome/a...d-in-chrome-but-not-in-edge-chromium?hl=en-au

The reason for the change in Chrome is here https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/faq.md

 

[QuozL]

@QuozL

Had same problem with Chrome but not MS Edge. Seems to be a recent change to Chrome and a temporary solution is available here https://support.google.com/chrome/a...d-in-chrome-but-not-in-edge-chromium?hl=en-au

The reason for the change in Chrome is here https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/faq.md

Thanks @lepicane, appreciate the info, at least we know now what is causing the issue. I'll stick with just using Http for now as I have remote access disabled anyway and only access the router from my internal network. Hopefully Chrome fix the issue going forward.

Cheers