IP Wan invalid for HTTPS certificate

[Cometti]

Hi,

My IP WAN is ok...

...but the Server Certificate shows my LOCAL IP like this:

Lookup its ok for DDNS:


Any idea to resolve this?!

Thanks

 

[Jack Yaz]

Hi,

My IP WAN is ok...

...but the Server Certificate shows my LOCAL IP like this:

Lookup its ok for DDNS:


Any idea to resolve this?!

Thanks

You left the domain un-redacted in the certificate screenshot btw

 

[Cometti]

You left the domain un-redacted in the certificate screenshot btw

Thx!! Can you remove your quote please?

 

[adampk17]

World of Warcraft fan, I see.

 

[RMerlin]

Since most users have a dynamic WAN IP, the IP isn't used in the certificate, only the DDNS hostname. If you want to access through the WAN, use the DDNS hostname instead. Otherwise, a new certificate would have to be created every time your WAN IP changed (which might be daily for some users).

 

[Cometti]

Since most users have a dynamic WAN IP, the IP isn't used in the certificate, only the DDNS hostname. If you want to access through the WAN, use the DDNS hostname instead. Otherwise, a new certificate would have to be created every time your WAN IP changed (which might be daily for some users).

Thanks for the answer, but it's not me who chooses what will be generated in the certificate, it was the system itself that defined that IP
How do I change the creation of the certificate to not be issued to the IP?

 

[RMerlin]

Thanks for the answer, but it's not me who chooses what will be generated in the certificate, it was the system itself that defined that IP
How do I change the creation of the certificate to not be issued to the IP?

View attachment 18669

That's just the CN. Modern browsers mostly look at the content of the SAN field now, in the Extended x509 attributes:

That's where your DDNS hostname (the *.asuscomm.com one) is being added, so it will be considered as valid for the DDNS hostname.

 

[Cometti]

Interesting, here it shows that too

But Google Chrome continues to show that the certificate is invalid

Internet Explorer and Firefox too

Any suggestion to fix?!

 

[RMerlin]

Any suggestion to fix?!

It's invalid because it's self-signed, as the error message indicates. This is perfectly normal. The only way to get rid of the error message is to manage your own CA. You could go with Let's Encrypt, but it's very unreliable on a router because of the large number of users within the asuscomm.com domain, causing renewals to randomly fail/be throttled.

Just ignore it. It's perfectly secure, your browser is simply telling you it doesn't recognize who emitted that certificate.

 

[Cometti]

It's invalid because it's self-signed, as the error message indicates. This is perfectly normal. The only way to get rid of the error message is to manage your own CA. You could go with Let's Encrypt, but it's very unreliable on a router because of the large number of users within the asuscomm.com domain, causing renewals to randomly fail/be throttled.

Just ignore it. It's perfectly secure, your browser is simply telling you it doesn't recognize who emitted that certificate.

Alright... Thx for the explanation!

 

[XIII]

It's invalid because it's self-signed, as the error message indicates. This is perfectly normal. The only way to get rid of the error message is to manage your own CA. You could go with Let's Encrypt, but it's very unreliable on a router because of the large number of users within the asuscomm.com domain, causing renewals to randomly fail/be throttled.

I still like the idea of using Let's Encrypt.

What if one owns a domain and redirects router.domain.com to hostname.asuscomm.com, would that prevent throttling?

However, one still needs to enable web access from WAN to let either of those URLs actually open the router page? (So a No-Go?!)

 

[Makaveli]

You could go with Let's Encrypt, but it's very unreliable on a router because of the large number of users within the asuscomm.com domain, causing renewals to randomly fail/be throttled.

This is why I prefer to let Pixelserv generate the Cert.

 

[RMerlin]

What if one owns a domain and redirects router.domain.com to hostname.asuscomm.com, would that prevent throttling?

As long the acme client requests for your own domain, you'd be fine. You could then create a CNAME within your domain that will point to the asuscomm DDNS entry - that is how I have things setup myself (but with a different DDNS provider than Asus).

That will require you to configure things manually tho, as the router client would request using the DDNS domain.

 

[RMerlin]

This is why I prefer to let Pixelserv generate the Cert.

I use XCA to manage my own CA, that way I can have recognized certificates on every single device I have (including the 6-7 routers I routinely use for development purposes).

 

[Jack Yaz]

As long the acme client requests for your own domain, you'd be fine. You could then create a CNAME within your domain that will point to the asuscomm DDNS entry - that is how I have things setup myself (but with a different DDNS provider than Asus).

That will require you to configure things manually tho, as the router client would request using the DDNS domain.

I use Cloudflare's free DNS for my own domain (purchased), and use DDNS from the router to dns-o-matic to update the A record for it. Works quite nicely for my needs!

 

[XIII]

But what about this part?

However, one still needs to enable web access from WAN to let either of those URLs actually open the router page?

Reason for asking: when I type https://hostname.asuscomm.com:8443 in my browser the web GUI does not open (https://192.168.1.1:8443 does), unless I enable remote web access from WAN (which I would like to prevent); even on my local network.

(I'm OK-ish with manually updating the certificate every 90 days, or finding a way to automate that)

 

[RMerlin]

I don't know the details of Asus's implementation for validation, libletsencrypt is closed source.

 

[XIII]

I don't know the details of Asus's implementation for validation, libletsencrypt is closed source.

I don't think I need that (when "manually" getting the Let's Encrypt certificates)?

1. A CNAME record in the DNS settings of my domain is set to redirect router.domain.com to hostname.asuscomm.com
2. External traffic on port 80 of the router is forwarded to a Raspberry Pi (for certbot)
   
3. On this Pi I run certbot ("standalone") to generate a certificate and key for router.domain.com
4. I upload the generated certificate and key on the admin page of the router

When I enable web access from WAN this setup actually works: a green lock when I surf to https://router.domain.com:8443; a secure connection verified by Let's Encrypt.

However, I thought it was strongly discouraged to enable web access from WAN due to security concerns?

Do you guys really enable this, or do you use another way to get this to work? If so, how?

 

[Jack Yaz]

I don't think I need that (when "manually" getting the Let's Encrypt certificates)?

1. A CNAME record in the DNS settings of my domain is set to redirect router.domain.com to hostname.asuscomm.com
2. External traffic on port 80 of the router is forwarded to a Raspberry Pi (for certbot)
   
3. On this Pi I run certbot ("standalone") to generate a certificate and key for router.domain.com
4. I upload the generated certificate and key on the admin page of the router

When I enable web access from WAN this setup actually works: a green lock when I surf to https://router.domain.com:8443; a secure connection verified by Let's Encrypt.

However, I thought it was strongly discouraged to enable web access from WAN due to security concerns?

Do you guys really enable this, or do you use another way to get this to work? If so, how?

I run LetsEncrypt in a Docker container and use DNS verification via the cloudflare plugin: https://hub.docker.com/r/linuxserver/letsencrypt/

 

[XIII]

@Jack Yaz Thank you for providing another option to do this.

But my main question to any of you: do you enable web access to WAN on the router?

If not, how can you use the (external) domain URL to access the router GUI (on your local network)?