pixelserv Enabling SSL for WebUI - Stuck (sorry!)

[TexasDave]

Hello,

I upgraded my systems this weekend to the latest version of Merln and am now trying to do the next phase of getting back to where I was at.

I was under the impression that if I installed the complete Diversion, I would get pixelserv-tls. I can see that I do have pixelserv-tls and can see both the following active:

192.168.1.2/servstats
192.168.1.2/ca.crt

When I go to 192.168.1.2/ca.crt - I am able to download my cert.

I believe I can then use the "ps" command in amtm to enable SSL in the Web GUI?

The old script and the script now in amtm say:

"Before you proceed, pls have pixelserv-tls installed and running. You shall also have your Pixelserv CA cert imported on a test client."

pixelserv-tls installed and running (see above)

But I cannot seem to import the Pixelserv CA cert imported on a test client?

The instructions are here to import the cert and I have tried on Firefox, Chrome and Edge:

https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate

• On Firefox - when I go to 192.168.1.2/ca.crt I do not get a "popup"....
• For Chrome and Edge all looks to work but I cannot get the SSL to work.

Questions

• On this page - do we ignore the items at the top and just use these instructions to add the cert to the browser?
• Do we need to do anything in the WebUI? There is a section to install certs in the ADVANCED/WAN/DDNS? And to use http/https/both in ADVANCED/Adminstration/System? Or leave all of this be?
• Running the ps script in amtm goes fine but I do not see the "lock" in any of the browsers

I have blown away Diversion and reset my USB a few times trying various things and while I see folks do have issues here - it seems that there must be a "standard" way of getting SSL to work on the WebUI? The issue is it seems to have changed over the years so I am afraid I am mixing items up?

Is there a post or a pointer in the best way to enable SSL in the WEB GUI in 2021? I am happy to delete Diversion. reformat my USB and start again?

Or is there some place I can look to understand why I cannot get my certs imported into my clients? That seems to be the main issue.

Thanks!

 

[pdc]

What kind of client do you have? I found I needed different instructions on Linux for example, and yes Firefox is tricky (I think newer versions require different steps).

If you can access https://<pixelserv ip>/servstats from the client with no issues, your pixelserv and client certs are working.

For the Web UI I had problems getting the amtm script to work as well. Here are my notes on what worked for me (replace <router> with your router IP or hostname):

# echo -n "<router>" > /tmp/pixelcerts
# cd /opt/var/cache/pixelserv
# cp <router> /etc/cert.pm
# cp <router> /etc/key.pm
# cp <router> /jffs/.cert/cert.pem
# cp <router> /jffs/.cert/key.pem
# service restart_httpd

I believe I also needed to mess around with the configuration at the WAN -> DDNS page using the above public/private keys, but unfortunately I didn't keep my notes for that part. It looks like this now:

Status : Active
Issued to : <router>
SAN :
Issued by : Pixelserv CA
Expires on : 2022/8/11

As a side note, I use 443 for the web port so I can just use https, though for that to work I needed to change the AiCloud port to something else in AiCloud settings since it uses 443 by default (even though I don't use AiCloud).

 

[TexasDave]

@pdc - thank you for taking the time to try to help me!