Certificate server RT-AC68U San in certificate

[alpha45]

Hello,
I installed the new fw. Merlin 384.17.
Is it normal the San of the server certificate in the DDNS as it appears in the image?
SAN: 192.168.2.1 router.asus.com RT-AC68U-BE68 RT-AC68U-BE68
Eventually how is it possible to reset it?
And that the state is always: Updating ...
I thank.

 

[AurelM]

Hi,

Since you selected to use Free Certificate from Let's Encrypt, the SAN should be your DDNS Host name, the one you blurred out in the picture. However, I think you need to do as I said in this post: LetsEncrypt Cert Stopped Updating? to get a new certificate that has that SAN.

Alternatively, you can select Import/Persistent Auto-generated and set SANs there.

 

[alpha45]

Hi,
I had already done it and the result is this, is the name SAN correct?
Can I leave it like this?
I tried with ssh, but it gives me access refused on port 22!
I thank

 

[AurelM]

Hi,

The certificate in this section is used only when you access your router's WebUI using the https protocol.
It authenticates the device you are trying to connect to and encrypts the traffic between it and the device you use to connect from.

A little bit of theory:
- operating systems, as well as web browsers, have lists of trusted certificates and certificate authorities (CA);
- if the web page you are trying to access uses a certificate from either of these lists and the address you are typing in the address field is contained in the SANs list of that certificate, then the web browser will grant you access to the page seamlessly (like going to https://www.google.com for example);
- if the web page uses a certificate that is not in the lists or the address is not in the SANs list then the web browser will warn you that the page you are trying to access is unsafe, but you can proceed to it anyway.

I had already done it and the result is this, is the name SAN correct?

There is no correct or incorrect SANs, it's just a list of names.

Can I leave it like this?

Yes, there's nothing wrong with this configuration.

I tried with ssh, but it gives me access refused on port 22!

You can enable SSH under Administration page, System tab, Service section.

What is it that you are trying to do? Is there something specific or just poking around trying to learn?

 

[alpha45]

Hi,

Is there something specific or just poking around trying to learn?

You never stop learning!
This is a screenshot with previous firmware and the name was different was not repeated RTA68U-BE68 ... I will see if I have problems with Vol or with video surveillance.

Thank you

 

[AurelM]

Hi,

You never stop learning!

Very true indeed.

As I said previously, this certificate is only used for accessing the router's WebUI using https protocol, so it shouldn't cause any problems.

As for the SANs, they are the local IP of the router (192.168.2.1 in your case), the Asus router discovery DNS name of router.asus.com which the router will resolve with its local IP, your router Host Name as set in LAN -> LAN IP (yours is set to RT-AC68U-BE68, which, by the way, was reset with asuswrt-merlin 384.14 version), and your DDNS Host Name as set in WAN -> DDNS.

I'm not sure about the doubling of the lan hostname however, do you have the Domain Name set the same as Host Name in LAN -> LAN IP?

 

[RMerlin]

I'm not sure about the doubling of the lan hostname however,

This is because Asus recently split that into two separate settings: computer_name. So if they are the same, then you will have a duplicate SAN.

This is already fixed in 384.18:

commit d9eba3898957d6c9f10bbfebb7ab3b919ee6e27d
Author: Eric Sauvageau <merlin@asuswrt-merlin.net>
Date:   Mon May 25 23:29:56 2020 -0400

    httpd: rework gencert.sh script responsible for generating web certificate
  
     - More closely aligned with Asus's own code
     - Revert back to 10 years duration, as the Safari limitation only
       targets certificates signed by one of the built-in CAs
     - Remove CommonName entries as modern browsers no longer use that
       field - only hardcode router's IP address as the sole CN.
     - Ensure that hostname and computer_name are not the same to avoid
       duplicate SANs