What's new

IP Wan invalid for HTTPS certificate

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Cometti

New Around Here
Hi,

My IP WAN is ok...

61487036-4e39e780-a97b-11e9-9f98-dbdfef6681a7.png


...but the Server Certificate shows my LOCAL IP like this:
upload_2019-7-18_17-28-50.png


Lookup its ok for DDNS:


Any idea to resolve this?!

Thanks
 
Last edited:
Hi,

My IP WAN is ok...

61487036-4e39e780-a97b-11e9-9f98-dbdfef6681a7.png


...but the Server Certificate shows my LOCAL IP like this:

Lookup its ok for DDNS:


Any idea to resolve this?!

Thanks
You left the domain un-redacted in the certificate screenshot btw
 
Last edited:
Since most users have a dynamic WAN IP, the IP isn't used in the certificate, only the DDNS hostname. If you want to access through the WAN, use the DDNS hostname instead. Otherwise, a new certificate would have to be created every time your WAN IP changed (which might be daily for some users).
 
Since most users have a dynamic WAN IP, the IP isn't used in the certificate, only the DDNS hostname. If you want to access through the WAN, use the DDNS hostname instead. Otherwise, a new certificate would have to be created every time your WAN IP changed (which might be daily for some users).

Thanks for the answer, but it's not me who chooses what will be generated in the certificate, it was the system itself that defined that IP
How do I change the creation of the certificate to not be issued to the IP?

upload_2019-7-19_7-54-32.png
 
Thanks for the answer, but it's not me who chooses what will be generated in the certificate, it was the system itself that defined that IP
How do I change the creation of the certificate to not be issued to the IP?

View attachment 18669

That's just the CN. Modern browsers mostly look at the content of the SAN field now, in the Extended x509 attributes:

upload_2019-7-19_9-54-26.png


That's where your DDNS hostname (the *.asuscomm.com one) is being added, so it will be considered as valid for the DDNS hostname.
 
Interesting, here it shows that too
upload_2019-7-19_11-25-44.png


But Google Chrome continues to show that the certificate is invalid

upload_2019-7-19_11-27-28.png


Internet Explorer and Firefox too

upload_2019-7-19_11-29-6.png


upload_2019-7-19_11-31-32.png


Any suggestion to fix?!
 
Any suggestion to fix?!

It's invalid because it's self-signed, as the error message indicates. This is perfectly normal. The only way to get rid of the error message is to manage your own CA. You could go with Let's Encrypt, but it's very unreliable on a router because of the large number of users within the asuscomm.com domain, causing renewals to randomly fail/be throttled.

Just ignore it. It's perfectly secure, your browser is simply telling you it doesn't recognize who emitted that certificate.
 
It's invalid because it's self-signed, as the error message indicates. This is perfectly normal. The only way to get rid of the error message is to manage your own CA. You could go with Let's Encrypt, but it's very unreliable on a router because of the large number of users within the asuscomm.com domain, causing renewals to randomly fail/be throttled.

Just ignore it. It's perfectly secure, your browser is simply telling you it doesn't recognize who emitted that certificate.

Alright... Thx for the explanation!
 
It's invalid because it's self-signed, as the error message indicates. This is perfectly normal. The only way to get rid of the error message is to manage your own CA. You could go with Let's Encrypt, but it's very unreliable on a router because of the large number of users within the asuscomm.com domain, causing renewals to randomly fail/be throttled.
I still like the idea of using Let's Encrypt.

What if one owns a domain and redirects router.domain.com to hostname.asuscomm.com, would that prevent throttling?

However, one still needs to enable web access from WAN to let either of those URLs actually open the router page? (So a No-Go?!)
 
You could go with Let's Encrypt, but it's very unreliable on a router because of the large number of users within the asuscomm.com domain, causing renewals to randomly fail/be throttled.

This is why I prefer to let Pixelserv generate the Cert.
 
What if one owns a domain and redirects router.domain.com to hostname.asuscomm.com, would that prevent throttling?

As long the acme client requests for your own domain, you'd be fine. You could then create a CNAME within your domain that will point to the asuscomm DDNS entry - that is how I have things setup myself (but with a different DDNS provider than Asus).

That will require you to configure things manually tho, as the router client would request using the DDNS domain.
 
This is why I prefer to let Pixelserv generate the Cert.

I use XCA to manage my own CA, that way I can have recognized certificates on every single device I have (including the 6-7 routers I routinely use for development purposes).
 
As long the acme client requests for your own domain, you'd be fine. You could then create a CNAME within your domain that will point to the asuscomm DDNS entry - that is how I have things setup myself (but with a different DDNS provider than Asus).

That will require you to configure things manually tho, as the router client would request using the DDNS domain.
I use Cloudflare's free DNS for my own domain (purchased), and use DDNS from the router to dns-o-matic to update the A record for it. Works quite nicely for my needs!
 
But what about this part?

However, one still needs to enable web access from WAN to let either of those URLs actually open the router page?

Reason for asking: when I type https://hostname.asuscomm.com:8443 in my browser the web GUI does not open (https://192.168.1.1:8443 does), unless I enable remote web access from WAN (which I would like to prevent); even on my local network.

(I'm OK-ish with manually updating the certificate every 90 days, or finding a way to automate that)
 
I don't know the details of Asus's implementation for validation, libletsencrypt is closed source.
 
I don't know the details of Asus's implementation for validation, libletsencrypt is closed source.
I don't think I need that (when "manually" getting the Let's Encrypt certificates)?
  1. A CNAME record in the DNS settings of my domain is set to redirect router.domain.com to hostname.asuscomm.com
  2. External traffic on port 80 of the router is forwarded to a Raspberry Pi (for certbot)
  3. On this Pi I run certbot ("standalone") to generate a certificate and key for router.domain.com
  4. I upload the generated certificate and key on the admin page of the router
When I enable web access from WAN this setup actually works: a green lock when I surf to https://router.domain.com:8443; a secure connection verified by Let's Encrypt.

However, I thought it was strongly discouraged to enable web access from WAN due to security concerns?

Do you guys really enable this, or do you use another way to get this to work? If so, how?
 
I don't think I need that (when "manually" getting the Let's Encrypt certificates)?
  1. A CNAME record in the DNS settings of my domain is set to redirect router.domain.com to hostname.asuscomm.com
  2. External traffic on port 80 of the router is forwarded to a Raspberry Pi (for certbot)
  3. On this Pi I run certbot ("standalone") to generate a certificate and key for router.domain.com
  4. I upload the generated certificate and key on the admin page of the router
When I enable web access from WAN this setup actually works: a green lock when I surf to https://router.domain.com:8443; a secure connection verified by Let's Encrypt.

However, I thought it was strongly discouraged to enable web access from WAN due to security concerns?

Do you guys really enable this, or do you use another way to get this to work? If so, how?
I run LetsEncrypt in a Docker container and use DNS verification via the cloudflare plugin: https://hub.docker.com/r/linuxserver/letsencrypt/
 
@Jack Yaz Thank you for providing another option to do this.

But my main question to any of you: do you enable web access to WAN on the router?

If not, how can you use the (external) domain URL to access the router GUI (on your local network)?
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top