What's new

Certificate server RT-AC68U San in certificate

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

alpha45

Regular Contributor
Hello,
I installed the new fw. Merlin 384.17.
Is it normal the San of the server certificate in the DDNS as it appears in the image?
SAN: 192.168.2.1 router.asus.com RT-AC68U-BE68 RT-AC68U-BE68
Eventually how is it possible to reset it?
And that the state is always: Updating ...
I thank.

Cattura.PNG
 
Last edited:
Hi,

Since you selected to use Free Certificate from Let's Encrypt, the SAN should be your DDNS Host name, the one you blurred out in the picture. However, I think you need to do as I said in this post: LetsEncrypt Cert Stopped Updating? to get a new certificate that has that SAN.

Alternatively, you can select Import/Persistent Auto-generated and set SANs there.
upload_2020-6-21_17-34-28.png
 
Hi,
I had already done it and the result is this, is the name SAN correct?
Can I leave it like this?
I tried with ssh, but it gives me access refused on port 22!
I thank

Cattura.PNG
 
Hi,

The certificate in this section is used only when you access your router's WebUI using the https protocol.
It authenticates the device you are trying to connect to and encrypts the traffic between it and the device you use to connect from.

A little bit of theory:
- operating systems, as well as web browsers, have lists of trusted certificates and certificate authorities (CA);
- if the web page you are trying to access uses a certificate from either of these lists and the address you are typing in the address field is contained in the SANs list of that certificate, then the web browser will grant you access to the page seamlessly (like going to https://www.google.com for example);
- if the web page uses a certificate that is not in the lists or the address is not in the SANs list then the web browser will warn you that the page you are trying to access is unsafe, but you can proceed to it anyway.
I had already done it and the result is this, is the name SAN correct?
There is no correct or incorrect SANs, it's just a list of names.
Can I leave it like this?
Yes, there's nothing wrong with this configuration.
I tried with ssh, but it gives me access refused on port 22!
You can enable SSH under Administration page, System tab, Service section.

What is it that you are trying to do? Is there something specific or just poking around trying to learn?
 
Hi,

Is there something specific or just poking around trying to learn?

You never stop learning!
This is a screenshot with previous firmware and the name was different was not repeated RTA68U-BE68 ... I will see if I have problems with Vol or with video surveillance.
16.png


Thank you
 
Hi,
You never stop learning!
Very true indeed.

As I said previously, this certificate is only used for accessing the router's WebUI using https protocol, so it shouldn't cause any problems.

As for the SANs, they are the local IP of the router (192.168.2.1 in your case), the Asus router discovery DNS name of router.asus.com which the router will resolve with its local IP, your router Host Name as set in LAN -> LAN IP (yours is set to RT-AC68U-BE68, which, by the way, was reset with asuswrt-merlin 384.14 version), and your DDNS Host Name as set in WAN -> DDNS.

I'm not sure about the doubling of the lan hostname however, do you have the Domain Name set the same as Host Name in LAN -> LAN IP?
 
I'm not sure about the doubling of the lan hostname however,

This is because Asus recently split that into two separate settings: computer_name. So if they are the same, then you will have a duplicate SAN.

This is already fixed in 384.18:

Code:
commit d9eba3898957d6c9f10bbfebb7ab3b919ee6e27d
Author: Eric Sauvageau <merlin@asuswrt-merlin.net>
Date:   Mon May 25 23:29:56 2020 -0400

    httpd: rework gencert.sh script responsible for generating web certificate
  
     - More closely aligned with Asus's own code
     - Revert back to 10 years duration, as the Safari limitation only
       targets certificates signed by one of the built-in CAs
     - Remove CommonName entries as modern browsers no longer use that
       field - only hardcode router's IP address as the sole CN.
     - Ensure that hostname and computer_name are not the same to avoid
       duplicate SANs
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top