Repair or reset 'Let's encrypt' certificate issued to LAN IP thanks to stuff up

[franku]

I wasn't paying attention when I followed the Asus Lets Encrypt webUI certificate generation guide and ended up generating a certificate for my LAN IP rather than a resolvable URL. Now, despite factory reset, the setting is stuck on:

Status :Updating...
Issued to : 192.168.1.1
SAN : 192.168.1.1 router.asus.com RT-AC68U-3420 [externalUrlName].asuscomm.com
Issued by : 192.168.1.1
Expires on : 2028/3/11​

Whatever I change, including registering a different DDNS address, the WebUI reports nothing has changed (IP address, server and hostname have not changed since the last update. If you want to update, please click [Yes]. - there is no 'Yes' button, only 'ok' and 'cancel')

How can I remove the current settings so I can start again? or repair them? or with the fact that the DDNS url is part of the value for SAN is there some other issue I need to investigate?

Cheers..

Asuswrt Merlin 384.3 on RT-AC68U

 

[RMerlin]

A factory default reset should disable it, the setting and the state are stored in nvram AFAIK. Can't tell for sure however, the implementation is closed source.

 

[MobileWill]

Hi all,

Long story short I found a way to fix this. I ran into the same thing when I changed my DDNS name after moving to namecheap.com. Upon digging into the system and how LE works I found the command "/sbin/le_acme". By just running that it does a manual renew. Since my DDNS name was different it worked. This must be the command that the system runs after all the checks if it is time to renew.

Hope that helps.

 

[vibroverbus]

So after having weird cert problems after updating to the latest beta, I decided to try the LE method.

Then was stuck on Updating. Bringing me here...

Manually running the le_acme didn't seem to do much.

Well then I looked at NVRAM variables and found an le_acme_debug... set that to "1" just for WTF's, and... after a few iterations of the first 2 line error messages...

Jul 25 14:14:12 kernel: /usr/sbin/acme-client: /jffs/.le/name.domain.com: -c directory must exist
Jul 25 14:14:12 kernel: /usr/sbin/acme-client: /tmp/.le/www/.well-known/acme-challenge: -C directory must exist
Jul 25 14:15:00 rc_service: service 899:notify_rc restart_letsencrypt
Jul 25 14:15:03 kernel: /usr/sbin/acme-client: /jffs/.le/account.key: generating RSA account key
Jul 25 14:15:03 kernel: /usr/sbin/acme-client: /jffs/.le/name.domain.com/domain.key: generating RSA domain key
Jul 25 14:15:06 kernel: /usr/sbin/acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
Jul 25 14:15:06 kernel: /usr/sbin/acme-client: acme-v01.api.letsencrypt.org: DNS: xx.xx.xx.xx
Jul 25 14:15:07 kernel: /usr/sbin/acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg
Jul 25 14:15:07 kernel: /usr/sbin/acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: name.domain.com
Jul 25 14:15:07 kernel: /usr/sbin/acme-client: /tmp/.le/www/.well-known/acme-challenge/blaw: created
Jul 25 14:15:07 kernel: /usr/sbin/acme-client: https://acme-01.api.letsencrypt.org/acme/challenge/blah/blah: challenge
Jul 25 14:15:13 kernel: /usr/sbin/acme-client: https://acme-01.api.letsencrypt.org/acme/challenge/blah/blah: status
Jul 25 14:15:13 kernel: /usr/sbin/acme-client: https://acme-01.api.letsencrypt.org/acme/challenge/blah/blah: valid
Jul 25 14:15:13 kernel: /usr/sbin/acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate
Jul 25 14:15:14 kernel: /usr/sbin/acme-client: http://cert.int-x3.letsencrypt.org/: full chain
Jul 25 14:15:14 kernel: /usr/sbin/acme-client: cert.int-x3.letsencrypt.org: DNS: xx.xx.xx.xx
Jul 25 14:15:14 kernel: /usr/sbin/acme-client: /jffs/.le/name.domain.com/chain.pem: created
Jul 25 14:15:14 kernel: /usr/sbin/acme-client: /jffs/.le/name.domain.com/cert.pem: created
Jul 25 14:15:14 kernel: /usr/sbin/acme-client: /jffs/.le/name.domain.com/fullchain.pem: created

Now it seems alright.. however, I'm suddenly having trouble using the external hostname to reach my router from the inside, which I presume is a provider firewall issue not allowing roundtrip connections?

Jesus, this whole drive for HTTPS/SSL everywhere whilst disallowing local-IP signing is really turning into a giant PITA for simple small site and home admins. Its one of those things that is going to make me turn my sites into LESS secure configurations (ie. I'll just go back and allow HTTP dammit, or, use obsolete browsers that will STFU about self-signed certs...) just because the PITA far outweighs the threat.

 

[agilani]

Those settings are part of the certificate. Doing a factory reset should wipe out the cert, but reloading the same cert would cause the same problem. You will need to get a NEW certificate with different settings.

Did you try switching it to none and click apply. Then change it to let's encrypt and press apply. Make sure that ddns is turned on and that the hostname you want is successfully registered.

 

[vibroverbus]

OK so figured it out... 2 things that were 'solutions'...
1. I had indeed WAN access for GUI turned off (hadn't thought that was so - my bad...), so... now I can use my dynamic hostname to get to the router... so LE should work OK if I do that...
2. Alternatively, and/or, chrome://flags/#allow-insecure-localhost gets the browser at least to STFU about the IP address. Of course Google will probably deprecate that setting soon as they go to enforced-enterprise-level-security-everywhere...

 

[Dave M]

Hi all,

Long story short I found a way to fix this. I ran into the same thing when I changed my DDNS name after moving to namecheap.com. Upon digging into the system and how LE works I found the command "/sbin/le_acme". By just running that it does a manual renew. Since my DDNS name was different it worked. This must be the command that the system runs after all the checks if it is time to renew.

Hope that helps.

How do you manually run the LE command?

My apologies for my ignorance on this...

 

[Frost]

Certificate problem

As I use Firefox when I connect to my AC87U running 384.5, Firefox warns about the certificate.
The address: https>192.168.1.1>8443/Main_Login.asp

Certificate Issued To
CN 192.168.1.1
O ASUSWRT-Merlin
OU <Not Part Of Certificate>

Issued By
O ASUSWRT-Merlin
Period Of Validity
Begins On 08 August 2018
Expires On 08 August 2028

Fingerprints
SHA-256 Fingerprint
SHA1 Fingerprint

Last year I used Putty to generate certificate and transferred it to my Asus router.
The 8 August my windows 10 was upgraded, and my problem started. All information about the certificate is lost on the PC, and I can`t connect using Putty.
Last year the certificate started 2017 and expired 2027. This changed to 2018 and 2028 but not by me the 8. August.

A stupid question:
Is it possible to reorganise all of the information regards certificate?
To “clean out” and start with a new certificate my not work as the connection fails.
If I have to live with this certificate(2018-2028), is there any security dangers with this certificate?

 

[Cesar8489]

Hi all,

Long story short I found a way to fix this. I ran into the same thing when I changed my DDNS name after moving to namecheap.com. Upon digging into the system and how LE works I found the command "/sbin/le_acme". By just running that it does a manual renew. Since my DDNS name was different it worked. This must be the command that the system runs after all the checks if it is time to renew.

Hope that helps.

This worked for me.

Thank you!

 

[SunilDe]

I'm having problems because the router is now trying to generate a certificate for 192.168.0.1 router.asus.com router router.domain home.domain.
"router" is the Device name of my router on the LAN settings page.

Let's encrypt rejects the request presumably because "router" isn't a valid domain name to use on the internet.

 

[SunilDe]

How do you manually run the LE command?

My apologies for my ignorance on this...

I tried it by ssh-ing to my router and running it from the command line by typing /sbin/le_acme

 

[Kamikaze01]

I am having the same problem...
My Router stuck in updating the Certificate for 192.168.1.1 asus.router...

I tried le_acme but nothing changed

DDNS for my domain works normal.
I can reach my Router external via URL Domain, but HTTPS did not work...

Can this happens, because I use a static IP? :-/

 

[bitmonster]

I tried le_acme but nothing changed

same here

DDNS for my domain works normal.

Same..

No idea.. is there anything we can do to help diagnose? Firewall issues perhaps?

 

[Grisu]

this is a 1 year old thread, maybe this helps: https://www.snbforums.com/threads/b...4-14-beta-is-now-available.60037/#post-524837