Let's Encrypt uses FQDN for certificate

[sbsnb]

I'm trying to enable HTTPS for accessing the web interface to my RT-AX86U, but Let's Encrypt insists on using the the router's DDNS host name for the certificate. This breaks HTTPS because the DDNS host name resolves to the WAN IP instead of the LAN IP, and since accessing the router's UI from the WAN is disabled it doesn't work. If I use the LAN IP to open the UI I have to wade through all kinds of stupid browser tricks warning me that the certificate doesn't match.

Is there a way to configure Let's Encrypt not to use the domain name? I could generate a self-signed cert, but some browsers block them altogether. If they're not blocked you still have to repeatedly go through the same rigmarole as when the IP doesn't match the certificate.

 

[Jeffrey Young]

As far as I know, it is a policy of Let's Encrypt that FQDN be used and that the top domain is a recognized domain name.

Looking at https://www.asus.com/support/FAQ/1034294, I think you are stuck.

 

[sbsnb]

Ok. Thank you. I'll hold off on upgrading to 386.4 until there's a way to resolve it.

Ironic that Asus's idea of improving security is forcing you to open your router UI to the WAN.

 

[Jeffrey Young]

You might be able to do it with a custom ddns setting. See this wiki: https://github.com/RMerl/asuswrt-merlin.ng/wiki/DDNS-services

With the temperatures the way they are, I might play around with this as a "something to do" thing this weekend and see if I can get it working with just a local FQDN name.

 

[Zastoff]

I use pixelserv-tls cert for webui

[ASUSWRT] Use Pixelserv CA to issue a certificate for WebGUI

A tiny bespoke HTTP/1.1 server for adblock and accelerating web browsing. - kvic-z/pixelserv-tls

github.com

It can also be found in amtm : ps
and i access webui with: https://router.asus.com:8443/Main_Login.asp

 

[Jeffrey Young]

I use pixelserv-tls cert for webui

[ASUSWRT] Use Pixelserv CA to issue a certificate for WebGUI

A tiny bespoke HTTP/1.1 server for adblock and accelerating web browsing. - kvic-z/pixelserv-tls

github.com

It can also be found in amtm : ps

Cool!! Now I got two things to play with. I have pixelserv installed and functioning now with Division. Thanks for sharing.

 

[sbsnb]

I use pixelserv-tls cert for webui

[ASUSWRT] Use Pixelserv CA to issue a certificate for WebGUI

A tiny bespoke HTTP/1.1 server for adblock and accelerating web browsing. - kvic-z/pixelserv-tls

github.com

It can also be found in amtm : ps
and i access webui with: https://router.asus.com:8443/Main_Login.asp

I'm trying to avoid using the router.asus.com because it gets confusing when you remote admin routers. Which one is resolving to what with a tangle of VPNs, etc. It's far easier for to just to use the IP, which I have for two decades.

 

[Jeffrey Young]

I'm trying to avoid using the router.asus.com because it gets confusing when you remote admin routers. Which one is resolving to what with a tangle of VPNs, etc. It's far easier for to just to use the IP, which I have for two decades.

I agree. I have multiple ASUS routers in my network. Can't have them all thinking they are router.asus.com

I'm going to play with both options this weekend. It has my own interest peeked now. I am hoping that I can get it to work with just HTTPS:\\IP.ADDRESS

 

[XIII]

I map router.mydomain.com to 192.168.1.1 in /jffs/configs/dnsmasq.conf.add to use LE certificates for the web interface.

 

[Jeffrey Young]

I map router.mydomain.com to 192.168.1.1 in /jffs/configs/dnsmasq.conf.add to use LE certificates for the web interface.

I do the same now so that my DC controlled computers and DC can find the router via a FQDN in the domain. This, I think, might be the simplest method yet if you have DDNS already set up.

Love it

 

[Jeffrey Young]

I'm trying to avoid using the router.asus.com because it gets confusing when you remote admin routers. Which one is resolving to what with a tangle of VPNs, etc. It's far easier for to just to use the IP, which I have for two decades.

I get a 403 Forbidden when I try to access the script. Perhaps no longer available?

 

[Jeffrey Young]

I'm trying to avoid using the router.asus.com because it gets confusing when you remote admin routers. Which one is resolving to what with a tangle of VPNs, etc. It's far easier for to just to use the IP, which I have for two decades.

@sbsnb, looks like that script is no longer available. If you have a local copy, and is open source license, are you willing to share it somewhere?

 

[elorimer]

I think if you use the cert in /opt/var/cache/pixelserv (or download it from pixelservipaddress/ca.crt) you can follow the steps in the Asus FAQ here: https://www.asus.com/us/support/FAQ/1034294/

I looked for it in the wayback machine, and the instructions are there but not the script.

 

[sbsnb]

What script? I have always just used regular HTTP access. I only contemplated switching because I see people complaining about some built-in nag screen in the latest firmware if you're not using HTTPS.

 

[Zastoff]

@sbsnb, looks like that script is no longer available. If you have a local copy, and is open source license, are you willing to share it somewhere?

The pixelserv-tls cert for webui script?
You can run it from AMTM and ps

 

[Jeffrey Young]

The pixelserv-tls cert for webui script?
You can run it from AMTM and ps

Excellent. Thanks, I missed that part.

 

[eZwa]

I map router.mydomain.com to 192.168.1.1 in /jffs/configs/dnsmasq.conf.add to use LE certificates for the web interface.

I've tried to map my router hostname to its' internal IP address, to no avail.

I have limited experience with DNSmasq config, but the entry I have in dnsmasq.config.add is:

address=/router.mydomain.com/10.10.10.1

This should be all that I need to do, correct?

 

[XIII]

This should be all that I need to do, correct?

It does work for me like that.

 

[eZwa]

It does work for me like that.

Well, as the tree said to the lumberjack... I'm stumped!

Any other alternative options that one could try to obtain the same end result?

 

[Jeffrey Young]

OK, so what is the end game here? Is it to access the router via a FQDN via https (https://router.mydomain.tld)? If so, using the --server directive is not what you want. The server directive in dnsmasq is used to redirect dns queries for a specific subdomain to another upstram server. What you want is to add an entry to the /jffs/configs/hosts.add file. The entry would be;

10.10.10.1    router.mydomain.tld

where 10.10.10.1 would be the IP address of your router and router.mydomain.tld is the FQDN of your Let's Encrypt certificate (CN).

The domain name router.mydomain.tld would have be match your common name in your certificate.

If the endgame here is to refer to your router as a an IP address using https (SSL/TLS), then I think you are out of luck. SSL/TLS just plainly does not work that way - by design. I can see some security issues if you could use SSL/TLS with an IP address as opposed to a FQDN.