No encrypt certificate not working with DDNS service

[JohnnyGuitar]

Hello,
I set up a DDNS service through the Asus server and chose to use a let's encrypt certificate. The router tells me that the certificate is active, but when I connect to the DDNS server, I get messages informing me that the connection is not secure. My router is RT-AC3100.

 

[garycnew]

@JohnnyGuitar

I just tried enabling DDNS with asuscomm.com and all I get is DDNS Registration Result: Authentication failed and Server Certificate Status: Authorizing. I tried several different host names that appear to be available in the asus iplookup tool with the same failure.

I see nothing related in the System Logs (not even after issuing # service restart_letsencrypt) and an /jffs/.le directory has not been created.

What version of acme.sh do you have installed?

# /usr/sbin/acme.sh -v
https://github.com/Neilpang/acme.sh
v2.8.3

It must be a version that supports ACME v2.

I'm on RT-AC66U_B1.

Respectfully,


Gary

 

[Mr Tvardovsky]

I just tried enabling DDNS with asuscomm.com and all I get is DDNS Registration Result: Authentication failed and Server Certificate Status: Authorizing. I tried several different host names that appear to be available in the asus iplookup tool with the same failure.

Same issue here, after factory reset and re-configuring everything from scratch, Let’s Encrypt certificate status is stuck on “Authorizing”. I can vaguely recall that once I had this issue before and it took a couple of days before it was gone.

 

[JohnnyGuitar]

@JohnnyGuitar

I just tried enabling DDNS with asuscomm.com and all I get is DDNS Registration Result: Authentication failed and Server Certificate Status: Authorizing. I tried several different host names that appear to be available in the asus iplookup tool with the same failure.

I see nothing related in the System Logs (not even after issuing # service restart_letsencrypt) and an /jffs/.le directory has not been created.

What version of acme.sh do you have installed?

# /usr/sbin/acme.sh -v
https://github.com/Neilpang/acme.sh
v2.8.3

It must be a version that supports ACME v2.

I'm on RT-AC66U_B1.

Respectfully,


Gary

Thank you for the reply. I am on v2.8.3.

 

[garycnew]

Same issue here, after factory reset and re-configuring everything from scratch, Let’s Encrypt certificate status is stuck on “Authorizing”. I can vaguely recall that once I had this issue before and it took a couple of days before it was gone.

@Mr Tvardovsky

Do you see any related errors in the System Logs? I don't even see errors in the logs.

I believe I have two separate issues: asuscomm and letsencrypt registration.

I should probably work through the former issue prior to the latter.

Respectfully,


Gary

 

[garycnew]

Thank you for the reply. I am on v2.8.3.

@JohnnyGuitar

Do you see any related errors in the System Logs?

Respectfully,


Gary

 

[JohnnyGuitar]

@JohnnyGuitar

Do you see any related errors in the System Logs?

Respectfully,


Gary

I don't see any related errors in the system logs. I'm not sure if this message is regarding the let's encrypt certificate, but in the logs I do see a message saying, "httpd: Succeed to init SSL Certificate...80".

 

[garycnew]

I don't see any related errors in the system logs. I'm not sure if this message is regarding the let's encrypt certificate, but in the logs I do see a message saying, "httpd: Succeed to init SSL Certificate...80".

@JohnnyGuitar

I have those log entries as well, but only in the past and not today when enabling DDNS & LE for the first time; thus, I don't believe they are related.

It sounds like the System Logs aren't much help to you, either.

I think the next step is to confirm whether you can get the acme.sh script working manually and validate that the /jffs/.le directory and files are created.

Respectfully,


Gary

 

[Mr Tvardovsky]

@Mr Tvardovsky

Do you see any related errors in the System Logs? I don't even see errors in the logs.

I believe I have two separate issues: asuscomm and letsencrypt registration.

Hi Gary,
I found this in my logs:

Sep 27 18:59:24 rc_service: httpd 8564:notify_rc ipsec_start
Sep 27 19:00:00 rc_service: httpd 8564:notify_rc ipsec_start
Sep 27 19:00:00 rc_service: service 9072:notify_rc restart_letsencrypt
Sep 27 19:00:00 rc_service: waitting "ipsec_start" via httpd ...
Sep 27 19:00:03 Let's Encrypt: Err, DDNS update failed.

I wouldn't say my log is flooded, but I can see a number of such entries since my last factory default reset.

 

[garycnew]

Hi Gary,
I found this in my logs:

Sep 27 18:59:24 rc_service: httpd 8564:notify_rc ipsec_start
Sep 27 19:00:00 rc_service: httpd 8564:notify_rc ipsec_start
Sep 27 19:00:00 rc_service: service 9072:notify_rc restart_letsencrypt
Sep 27 19:00:00 rc_service: waitting "ipsec_start" via httpd ...
Sep 27 19:00:03 Let's Encrypt: Err, DDNS update failed.

I wouldn't say my log is flooded, but I can see a number of such entries since my last factory default reset.

@Mr Tvardovsky

Your logs seem to indicate that it's an issue related to the DDNS portion of the process.

Are you able to manually login to your DDNS provider and validate your host entry is updated with your current Public IP Address?

At least you have some logs to go on.

Respectfully,


Gary

 

[Mr Tvardovsky]

@Mr Tvardovsky

Your logs seem to indicate that it's an issue related to the DDNS portion of the process.

Are you able to manually login to your DDNS provider and validate your host entry is updated with your current Public IP Address?

Hi @garycnew , many thanks for the hint. Logging into noip.com and manually updating my hostname did the trick. The certificate works as it should now.

Of note: in the meantime I tried the Asus DDNS address and it failed to register. There may be indeed some issue with their service.

 

[garycnew]

Hi @garycnew , many thanks for the hint. Logging into noip.com and manually updating my hostname did the trick. The certificate works as it should now.

Of note: in the meantime I tried the Asus DDNS address and it failed to register. There may be indeed some issue with their service.

@Mr Tvardovsky

I'm glad to hear you were able to sort things out and thanks for the heads-up about having issues with Asus' DDNS Service, also.

I believe me and @JohnnyGuitar need to try an alternative DDNS + LE configuration.

Respectfully,


Gary

 

[garycnew]

@Mr Tvardovsky

I was able to get a custom DDNS config setup with the ddns-start script updating my tinydns server. However, I'm still stuck with LE Authorizing the initial certificate.

Will you provide me with a recursive directory listing of your /jffs/.le directory (showing user/group and permissions) and System Logs related to your LE issuing/renewal?

With that information, I might be able to reproduce the LE process on the command-line of my router.

Thank you for your assistance.

Respectfully,


Gary

 

[Mr Tvardovsky]

Will you provide me with a recursive directory listing of your /jffs/.le directory (showing user/group and permissions) and System Logs related to your LE issuing/renewal?

@garycnew , here is the part of my logs that I think may be useful to you - this is what happened after my successful ddns hostname update ('XXX' stands for hidden private information):

Sep 29 07:44:18 rc_service: httpd XXX:notify_rc restart_ddns_le
Sep 29 07:44:18 start_ddns: update WWW.NO-IP.COM default@no-ip.com, wan_unit 0
Sep 29 07:44:18 inadyn[11562]: In-a-dyn version 2.8.1 -- Dynamic DNS update client.
Sep 29 07:44:18 inadyn[11562]: Update forced for alias XXX, new IP# XXX
Sep 29 07:44:19 inadyn[11562]: Updating cache for XXX
Sep 29 07:44:19 ddns: ddns update ok
Sep 29 07:44:22 kernel: [Wed Sep 29 07:44:22 DST 2021]
Sep 29 07:44:22 kernel: Standalone mode.
Sep 29 07:44:25 kernel: [Wed Sep 29 07:44:25 DST 2021]
Sep 29 07:44:25 kernel: Registering account
Sep 29 07:44:27 kernel: [Wed Sep 29 07:44:27 DST 2021]
Sep 29 07:44:27 kernel: Already registered
Sep 29 07:44:27 kernel: [Wed Sep 29 07:44:27 DST 2021]
Sep 29 07:44:27 kernel: ACCOUNT_THUMBPRINT='XXX'
Sep 29 07:44:27 kernel: [Wed Sep 29 07:44:27 DST 2021]
Sep 29 07:44:27 kernel: Creating domain key
Sep 29 07:44:29 kernel: [Wed Sep 29 07:44:29 DST 2021]
Sep 29 07:44:29 kernel: The domain key is here: /jffs/.le/XXX/XXX.key
Sep 29 07:44:30 kernel: [Wed Sep 29 07:44:30 DST 2021]
Sep 29 07:44:30 kernel: Single domain='XXX'
Sep 29 07:44:30 kernel: [Wed Sep 29 07:44:30 DST 2021]
Sep 29 07:44:30 kernel: Getting domain auth token for each domain
Sep 29 07:44:33 kernel: [Wed Sep 29 07:44:33 DST 2021]
Sep 29 07:44:33 kernel: Getting webroot for domain='XXX'
Sep 29 07:44:33 kernel: [Wed Sep 29 07:44:33 DST 2021]
Sep 29 07:44:33 kernel: Verifying: XXX
Sep 29 07:44:33 kernel: [Wed Sep 29 07:44:33 DST 2021]
Sep 29 07:44:33 kernel: Standalone mode server
Sep 29 07:44:39 kernel: [Wed Sep 29 07:44:39 DST 2021]
Sep 29 07:44:39 kernel: Success
Sep 29 07:44:39 kernel: [Wed Sep 29 07:44:39 DST 2021]
Sep 29 07:44:39 kernel: Verify finished, start to sign.
Sep 29 07:44:39 kernel: [Wed Sep 29 07:44:39 DST 2021]
Sep 29 07:44:39 kernel: Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/XXX/XXX
Sep 29 07:44:42 kernel: [Wed Sep 29 07:44:42 DST 2021]
Sep 29 07:44:42 kernel: Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/XXX
Sep 29 07:44:43 kernel: [Wed Sep 29 07:44:43 DST 2021]
Sep 29 07:44:43 kernel: Cert success.

As for 'recursive directory listing of my /jffs/.le directory' - I am afraid I am not that much of an advanced user to dig it out easily :-( Would you let me know how to do this?

 

[garycnew]

@Mr Tvardovsky

The System Logs are exactly what I was looking for. The only thing better would be the acme.sh command-line arguments that Asuswrt-Merlin uses for issuing and renewing LE certificates, but that would involve creating a new LE certificate; while, watching ps at the command-line.

As for 'recursive directory listing of my /jffs/.le directory' - I am afraid I am not that much of an advanced user to dig it out easily :-( Would you let me know how to do this?

As for the recursive directory listing, it would require that you ssh or putty into your router.

putty 192.168.1.1
# ls -lR /jffs/.le

The recursive directory listing should get me most of the way to the finish-line.

Much Appreciated!


Gary

 

[Mr Tvardovsky]

As for the recursive directory listing, it would require that you ssh or putty into your router.

putty 192.168.1.1
# ls -lR /jffs/.le

The recursive directory listing should get me most of the way to the finish-line.

@garycnew

Here you go - hope this is what you need:

/jffs/.le:
-rw-r--r-- 1 LOGIN root 89 Sep 29 07:44 account.conf
-rw------- 1 LOGIN root 1679 Sep 24 22:12 account.key
drwxr-xr-x 3 LOGIN root 0 Sep 29 07:44 DDNS.ADDRESS

/jffs/.le/DDNS.ADDRESS:
drwxr-xr-x 2 LOGIN root 0 Sep 29 07:44 backup
-rw-r--r-- 1 LOGIN root 3751 Sep 29 07:44 ca.cer
-rw------- 1 LOGIN root 1675 Sep 29 07:44 domain.key
-rw-r--r-- 1 LOGIN root 5601 Sep 29 07:44 fullchain.cer
-rw-r--r-- 1 LOGIN root 5601 Sep 29 07:44 fullchain.pem
-rw-r--r-- 1 LOGIN root 1850 Sep 29 07:44 DDNS.ADDRESS.cer
-rw-r--r-- 1 LOGIN root 758 Sep 29 07:44 DDNS.ADDRESS.conf
-rw-r--r-- 1 LOGIN root 985 Sep 29 07:44 DDNS.ADDRESS.csr
-rw-r--r-- 1 LOGIN root 213 Sep 29 07:44 DDNS.ADDRESS.csr. conf
-rw-r--r-- 1 LOGIN root 1675 Sep 29 07:44 DDNS.ADDRESS.key

 

[garycnew]

Here you go - hope this is what you need

@Mr Tvardovsky

Perfect! I did notice that I'm missing one last piece... The associated ddns_ and le_ nvram values.

Will you log into your router using ssh or putty, again, and provide the output for the following commands:

putty 192.168.1.1
# nvram show | grep -iE "^ddns_"
# nvram show | grep -iE "^le_"

BTW... I found that the version of acme.sh script installed on my RT-AC66U_B1 (384.19) is fully capable of performing an LE DNS-01 verification with the caveat that Asus replaced all the scripts in dnsapi with its own.

# /usr/sbin/acme.sh -v
https://github.com/Neilpang/acme.sh
v2.8.3

# ls -l /usr/sbin/dnsapi/dns_asusapi.sh

It's a fairly simple dnsapi that I believe I can modify to update my DNS server installed via Entware on this router. Alternatively, I believe I could just configure the post-mount script to copy one of the many readily available dnsapi scripts into that location for use by the acme.sh script.

If you could provide the nvram values, I believe that should be the last of it.

Thanks, again!


Gary

 

[Dabombber]

I'm not sure if it still works, but I made a dnsapi script for asuscomm.com which doesn't use rely on prebuilt binaries.

From my acme installer:

Spoiler: dns_asus.sh

#!/bin/sh

dns_asus_add() {
    HOSTNAME="${1#_acme-challenge.}"
    TXTDATA="$2"

    # Reuse the current IP address
    IP="$(nslookup "$HOSTNAME" 'ns1.asuscomm.com' | awk 'NR>2&&/^Address/{print $(NF==2?2:3);exit}')"

    # Router MAC address location is hardware dependent
    for LAN_MAC_NAME in et0macaddr et1macaddr et2macaddr; do
        MAC_ADDR="$(nvram get "$LAN_MAC_NAME")"
        if [ -n "$MAC_ADDR" ] && [ "$MAC_ADDR" != '00:00:00:00:00:00' ]; then break; fi
    done

    # Use openssl to generate the password
    PASSWORD="$(printf '%s' "${MAC_ADDR//:/}${IP//./}" | openssl md5 -hmac "$(nvram get secret_code)" 2>/dev/null | awk '{print toupper($2)}')"

    HTTP_RESULT="$(curl -fs -w '%{http_code}' -o /dev/null -u "${MAC_ADDR//:/}:$PASSWORD" "http://ns1.asuscomm.com/ddns/update.jsp?hostname=$HOSTNAME&acme_challenge=1&txtdata=$TXTDATA&myip=$IP")"
    case "$HTTP_RESULT" in
        200|220|230) return 0;;
    esac
    return 1
}

dns_asus_rm() {
    # txt record is auto-removed by asus on next ddns update
    return 0
}

 

[garycnew]

I'm not sure if it still works, but I made a dnsapi script for asuscomm.com which doesn't use rely on prebuilt binaries.

@Dabombber

Thanks for the dns_asus.sh script! Presently, it appears that asuscomm.com isn't working; otherwise, your dns_asus.sh would fit the bill. You should submit your dns_asus.sh script to NealPang, via the acme.sh GitHub page, for inclusion in the dnsapi repository.

As for me... I've decided to go the custom DDNS route, use a domain that I already own, and create a custom acme.sh dnsapi script to update the DNS server configuration that I installed via Entware on this router. If you don't mind, I may use some bits of code from your dns_asus.sh script?

Any idea of the command-line arguments Asuswrt uses with the acme.sh script? I'd like to try and reproduce it as closely as possible to see if I can get the start_ddns_le service to work.

Thanks, again, for responding to this post.

Respectfully,


Gary

P.S. I did have a read through the related post regarding your acme installer script. It may just be my naivete to the acme.sh script, but I don't understand the purpose of installing another copy of the acme.sh script if all that is missing are the scripts from the dnsapi? What am I missing?

 

[Dabombber]

I don't know if it'd be suitable to be added to the dnsapi repo as it uses some asus only features, the nvram secret_code and hardware MAC address, and it also forces a ddns update for the asuscomm address.


The easiest way to find the arguments would be to just mount over the acme script and log them, something like

printf '%s\n' '#!/bin/sh' 'logger -t acme "$*"' '/tmp/acme_copy.sh "$@"' > /tmp/acme_log.sh
cp /usr/sbin/acme.sh /tmp/acme_copy.sh
chmod +x /tmp/acme_copy.sh /tmp/acme_log.sh
mount -o bind '/tmp/acme_log.sh' '/usr/sbin/acme.sh'

As for not using the built in acme.sh, I had been using it since before it was added to asuswrt. Plus it's easier to work with a version I have complete control over.