Firefox https connection

[SMS786]

This reminds me of a movement by the browser industry last year that all of them require SAN to be specified in the certificate. pixelserv-tls was updated to follow the industry's best practice as well.

Pls try the alternative method in my above post. That one should work. Briefly recap: if you use "router.asus.com" to access WebGUI, then put domain name as "router.asus.com" in the echo command. A cert with filename "router.asus.com" will be generated in /opt/var/cache/pixelserv.

Next open the certificate file, "router.asus.com" in a text editor. Extract the "BEGIN CERTIFICATE" section and save as "cert.pem" Extract the "BEGIN PRIVATE" section and save as "key.pem"

Finally repeat Step 1 in the original post. Use "cert.pem" in place of ca.crt and "key.pem" in place of ca.key in the instructions.

edit:
corrected typo in bold.

@kvic I followed your aforementioned directions to a T. Importing the cert to FF gives this error message:


The curious part is that the pixelserv WebUI cert generated with the exact some procedure earlier (with a different domain obviously) imported into FF just fine, resulting with the green padlock on the servstats page and all. I know this is a pretty generic error msg..but hope it adds some new light to the issue..

 

[kvic]

A quick update. So my method discussed in this thread has been sorted out and confirmed with @SMS786 and @Asad Ali offline.

Basically it's as good as 2yrs ago and still works on new FW.

Good news for pixelserv-tls users. You can simply re-use pixelserv-tls to issue a new cert to WebGUI after every FW upgrade. No more invalid cert prompts and import (for a good TEN years).

To automate the process, I offer pixelserv-tls users a script to get everything setup. Simply re-run the following one-liner after each FW upgrade:

sh -c "$(wget -qO - https://kazoo.ga/pixelserv-tls/config-webgui.sh)"

The script will guide you through the process. Use your own Pixelserv CA certificate (that yourself or AB-Solution generated upon installation) to issue and configure a new cert for WebGUI.

Here is the output of a successful run: https://pastebin.com/AyF9Q7Km

The script is initial release. Though I tried my best to test it thoroughly, it might contain glitches that I didn't run into in those tests.

Happy pixelserv'ing.

 

[Figaro]

When I try to connect to the router AC87U with Firefox https, Firefox warns about the certificate, as before, but this time I cannot proceed when I make the exemption. The connection is closed when I use "admin" and password. The AC87U has the latest software from Merlin.

Yes, I need some good advice.

Regards
Frost

I had this problem with my RT-AC68 and couldn't get the certificate working. Somewhere I found the following solution. I'm no expert but I am curious if this is a bad idea and would like any comments:

Under Administration/System/Web Interface
My login is what you see in the config with "/Main_Login.asp" appended to it, no quotes of course.

 

[XIII]

If you want to do it manually with separate certificates/keys:

https://www.snbforums.com/threads/b...eta-is-now-available.39854/page-4#post-332867

Still I think @kvic’s pixelserv script is much better (for most users?).

 

[Billy Chaney]

For pixelserv-tls users (any version..as old as 2.5 yrs ago also works), there is an easy way out in two steps:

Step 1: Import Pixelserv CA (generated by yourself) into Firefox. This should already be done. Otherwise, instructions here.

Step 2: Simply re-use the Pixelserv CA certificate for WebGUI. Instruction is here.

Alternatively, you may also use your Pixelserv CA to issue a distinct certificate to router's WebGUI by using pixelserv-tls. Assume your router's domain is "router.asus.com". Then

echo -n "router.asus.com" > /tmp/pixelcerts

Find your newly issued certificate named "_.asus.com" under /opt/var/cache/pixelserv. Now use this file and repeat Step 2 above.

Happy pixelserv'ing!

edit:

@thelonelycoder: there is potential to add this feature to your easy-to-use AMTM script

I used the alternate code but it doesn't put any crts in my pixelserv folder. There is nothing there.

 

[Billy Chaney]

I used the alternate code but it doesn't put any crts in my pixelserv folder. There is nothing there.

Ok, I got the router.asus.com file. But I can't figure out how to extract and save it in a text editor. It seems the editors only wants to save the extracts in txt file format.

 

[kvic]

Ok, I got the router.asus.com file. But I can't figure out how to extract and save it in a text editor. It seems the editors only wants to save the extracts in txt file format.

There is an update in this thread you missed. Now pixelserv-tls users simply have to run the one-liner script in post #22.

 

[Billy Chaney]

There is an update in this thread you missed. Now pixelserv-tls users simply have to run the one-liner script in post #22.

Got it, thanks for the reply. It works now. Have a green padlock.

 

[Billy Chaney]

A quick update. So my method discussed in this thread has been sorted out and confirmed with @SMS786 and @Asad Ali offline.

Basically it's as good as 2yrs ago and still works on new FW.

Good news for pixelserv-tls users. You can simply re-use pixelserv-tls to issue a new cert to WebGUI after every FW upgrade. No more invalid cert prompts and import (for a good TEN years).

To automate the process, I offer pixelserv-tls users a script to get everything setup. Simply re-run the following one-liner after each FW upgrade:

sh -c "$(wget -qO - https://kazoo.ga/pixelserv-tls/config-webgui.sh)"

The script will guide you through the process. Use your own Pixelserv CA certificate (that yourself or AB-Solution generated upon installation) to issue and configure a new cert for WebGUI.

Here is the output of a successful run: https://pastebin.com/AyF9Q7Km

The script is initial release. Though I tried my best to test it thoroughly, it might contain glitches that I didn't run into in those tests.

Happy pixelserv'ing.

You know, last night I ran the script and everything was working great. I had a green padlock. I have the router scheduled to reboot everyday at 05:00, and that messed everything up. I'm no long getting a green padlock. The lock says "Connection not Secure". I tried everything. I ran the script again, I re installed pixelserv-tls and ran the script again. No luck, it's not working.

 

[Billy Chaney]

You know, last night I ran the script and everything was working great. I had a green padlock. I have the router scheduled to reboot everyday at 05:00, and that messed everything up. I'm no long getting a green padlock. The lock says "Connection not Secure". I tried everything. I ran the script again, I re installed pixelserv-tls and ran the script again. No luck, it's not working.

Ok, all is working good again. I rebooted, reloaded Pixelserv CA, and ran the script again. Then all worked

 

[kvic]

Ok, all is working good again. I rebooted, reloaded Pixelserv CA, and ran the script again. Then all worked

Good observation, and thanks for reporting.

If you read this thread, you would know that my FW experience stops at 380.66. Looks like after you run the script first time, the new certificate is not persisted to permanent storage in newer FW > 380.66.

I've made a small enhancement to the script (now v0.1.1) and should have fixed this issue.

When you get the time, could you re-run the script, then reboot and see if everything works fine?

Note that by design you're not expected to re-run this script after every reboot. Only required after a complete FW upgrade i.e. both NVRAM and /jffs are erased.

edit:

Latest content of this post is available on GitHub wiki: [ASUSWRT] Use Pixelserv CA to issue a certificate for WebGUI

 

[Billy Chaney]

Good observation, and thanks for reporting.

If you read this thread, you would know that my FW experience stops at 380.66. Looks like after you run the script first time, the new certificate is not persisted to permanent storage in newer FW > 380.66.

I've made a small enhancement to the script (now v0.1.1) and should have fixed this issue.

When you get the time, could you re-run the script, then reboot and see if everything works fine?

Note that by design you're not expected to re-run this script after every reboot. Only required after a complete FW upgrade i.e. both NVRAM and /jffs are erased.

I did what you advised and I keep getting an unsecured connection when I try to log into asuswrt. I created a new Pixelserv-tls CA and that didn't work either.

 

[kvic]

I did what you advised and I keep getting an unsecured connection when I try to log into asuswrt. I created a new Pixelserv-tls CA and that didn't work either.

With much checkout and inputs from @Billy Chaney, we sort out the issue and fixed in the script (v0.1.2).

Everything stays after reboot and just works.

A reminder to new FW (>380.66) users: you're only required to re-run this script after a FW upgrade and done a factory reset (where both NVRAM and /jffs are erased).

 

[Billy Chaney]

With much checkout and inputs from @Billy Chaney, we sort out the issue and fixed in the script (v0.1.2).

Everything stays after reboot and just works.

A reminder to new FW (>380.66) users: you're only required to re-run this script after a FW upgrade and done a factory reset (where both NVRAM and /jffs are erased).

I really appreciate the help you gave me. The script works perfect.

 

[eclp]

Excuse me, a noob question: would such an install script also be possible for OpenWrt to use the pixelserv certificate?

 

[kvic]

would such an install script also be possible for OpenWrt to use the pixelserv certificate?

config-webgui.sh is created for ASUSWRT. Hence, as-is it won't work for OpenWRT. It won't be difficult to adapt for OpenWRT though.

The bigger problem is I'm not aware of a pixelserv-tls package on OpenWRT. I highly recommend OpenWRT users to advocate use of pixelserv-tls or even create a OpenWRT package. Also express your desire or talk to the OpenWRT adblock package maintainer on their forum to optionally support redirection of adverts to pixelserv-tls.

 

[eclp]

Thank you for your reply!

I will formulate such a request in the Forum in a timely manner. At the same time, I would like to thank you once again for your incredibly great work!

 

[Butterfly Bones]

Here is a heads up from RMerlin on known Firefox issues that might provide info.
https://www.snbforums.com/threads/r...-4-is-now-available.45406/page-17#post-391505

 

[Billy Chaney]

With much checkout and inputs from @Billy Chaney, we sort out the issue and fixed in the script (v0.1.2).

Everything stays after reboot and just works.

A reminder to new FW (>380.66) users: you're only required to re-run this script after a FW upgrade and done a factory reset (where both NVRAM and /jffs are erased).

Hey kvic, the script is not working with 384.5_beta1. Is there anything you can do to help me with this. Thanks for any help.

 

[kvic]

Hey kvic, the script is not working with 384.5_beta1. Is there anything you can do to help me with this. Thanks for any help.

Any error messages or symptoms in detail?

I don't run Merlin FW. But I can take a look at the script later today.