What's new

Stubby-Installer-Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@Xentrk, is there anything wrong here?

Code:
@RT-AC86U-99A8:/tmp/home/root# echo | openssl s_client -verify on -CApath /rom/etc/ssl/certs -connect 1.1.1.1:853
verify depth is 0
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify error:num=20:unable to get local issuer certificate
4147033296:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 7 bytes
---
 
@Xentrk, is there anything wrong here?

Code:
@RT-AC86U-99A8:/tmp/home/root# echo | openssl s_client -verify on -CApath /rom/etc/ssl/certs -connect 1.1.1.1:853
verify depth is 0
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify error:num=20:unable to get local issuer certificate
4147033296:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 7 bytes
---

Early in the development, we were installing the entware package ca-certificates and telling Stubby to use the certificate in stubby.yml:

Code:
tls_ca_file: "/opt/etc/ssl/certs/ca-certificates.crt"

One of the testers had a similar error when running the command
Code:
echo | openssl s_client -connect '1.1.1.1:853'
It appeared as if the OS was not able to locate the certificate. The fix was to use the command
Code:
echo | openssl s_client -verify on -CApath /opt/etc/ssl/certs -connect  1.1.1.1:853
to fix.

However, right before we went live to the community, I found that Asuswrt Merlin stores the certificate in /rom/etc/ssl/certs. This allowed me to eliminate ca-certifcates entware package as a requirement and use the certificate installed by the firmware.

1. Please check the contents of /rom/etc/ssl/certs and make sure there is a ca-certificate.crt file in the location.
2. Check /opt/var/stubby/stubby.yml for the line--> tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
3. Run the command echo | openssl s_client -connect '1.1.1.1:853'. Do you get the "Verify return code: 20 (unable to get local issuer certificate)" error message with this command?
 
Early in the development, we were installing the entware package ca-certificates and telling Stubby to use the certificate in stubby.yml:

Code:
tls_ca_file: "/opt/etc/ssl/certs/ca-certificates.crt"

One of the testers had a similar error when running the command
Code:
echo | openssl s_client -connect '1.1.1.1:853'
It appeared as if the OS was not able to locate the certificate. The fix was to use the command
Code:
echo | openssl s_client -verify on -CApath /opt/etc/ssl/certs -connect  1.1.1.1:853
to fix.

However, right before we went live to the community, I found that Asuswrt Merlin stores the certificate in /rom/etc/ssl/certs. This allowed me to eliminate ca-certifcates entware package as a requirement and use the certificate installed by the firmware.

1. Please check the contents of /rom/etc/ssl/certs and make sure there is a ca-certificate.crt file in the location.
2. Check /opt/var/stubby/stubby.yml for the line--> tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
3. Run the command echo | openssl s_client -connect '1.1.1.1:853'. Do you get the "Verify return code: 20 (unable to get local issuer certificate)" error message with this command?

Thank you! I will try it tonight.

Marin


Sent from my iPhone using Tapatalk
 
You are saying to try turn it on in Merlin's instead?
Yes. I am currently using Stubby with DNSSEC enabled in Merlin/dnsmasq. Either works and neither is preferred. I have also tested both ways on OpenWRT successfully.

Sent from my SM-T380 using Tapatalk
 
I have been getting these in under my IPS section of the AiProtection. I'm thinking they are Stubby-related and nothing serious but proof that AiProtection is doing its job. Am I correct or not?
 

Attachments

  • Screen Shot 2018-12-18 at 6.31.21 PM.png
    Screen Shot 2018-12-18 at 6.31.21 PM.png
    230.3 KB · Views: 391
I have been getting these in under my IPS section of the AiProtection. I'm thinking they are Stubby-related and nothing serious but proof that AiProtection is doing its job. Am I correct or not?
Stubby does use the loop basck address in its function. As a matter of fact if the webui would take the loop back as a dns address that would be the developers preference. So seeing entries like you see with no corresponding syslog entry is likely caused by Stubby. When I first set Stubby up a long time ago I had the same entries.
 
Good to know, thank you @skeal!
 
Early in the development, we were installing the entware package ca-certificates and telling Stubby to use the certificate in stubby.yml:

Code:
tls_ca_file: "/opt/etc/ssl/certs/ca-certificates.crt"

One of the testers had a similar error when running the command
Code:
echo | openssl s_client -connect '1.1.1.1:853'
It appeared as if the OS was not able to locate the certificate. The fix was to use the command
Code:
echo | openssl s_client -verify on -CApath /opt/etc/ssl/certs -connect  1.1.1.1:853
to fix.

However, right before we went live to the community, I found that Asuswrt Merlin stores the certificate in /rom/etc/ssl/certs. This allowed me to eliminate ca-certifcates entware package as a requirement and use the certificate installed by the firmware.

1. Please check the contents of /rom/etc/ssl/certs and make sure there is a ca-certificate.crt file in the location.
2. Check /opt/var/stubby/stubby.yml for the line--> tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"
3. Run the command echo | openssl s_client -connect '1.1.1.1:853'. Do you get the "Verify return code: 20 (unable to get local issuer certificate)" error message with this command?


How do I check 1. and 2? Sorry still learning commands

Also on 3. yes, I do get the error message. See below:

Code:
 0140 - 38 b3 47 ed 8e 82 6b 06-88 5e b7 2e a1 b3 2e 15   8.G...k..^......
    0150 - 5d 2c 7d a1 37 99 4d 7f-95 50 db 7e a0 4f b0 7e   ],}.7.M..P.~.O.~
    0160 - fc 49 43 5b 31 d4                                 .IC[1.

    Start Time: 1545180252
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
DONE
 
Is there a command to download this ca-certificate from Entware? Would this interfere with what is already installed with Stubby?
 
Stubby does use the loop basck address in its function. As a matter of fact if the webui would take the loop back as a dns address that would be the developers preference. So seeing entries like you see with no corresponding syslog entry is likely caused by Stubby. When I first set Stubby up a long time ago I had the same entries.
Why is it even necessary to change the WAN DNS in the GUI? Won’t the no-resolv and server= statements in the Dnsmasq.conf.add prevent Dnsmasq from using /tmp/resolv.conf? Or do you also need a Dnsmasq Postconf script to remove some other entries?
 
I can't find a way to figure out if this is enabled in Safari. Every link that I see states that SNI is already supported in Safari but I don't see the SSL 2.0 and SSL 3.0 in my "proxies" tab of the network preferences.
 
How do I check 1. and 2? Sorry still learning commands

Also on 3. yes, I do get the error message. See below:

Code:
 0140 - 38 b3 47 ed 8e 82 6b 06-88 5e b7 2e a1 b3 2e 15   8.G...k..^......
    0150 - 5d 2c 7d a1 37 99 4d 7f-95 50 db 7e a0 4f b0 7e   ],}.7.M..P.~.O.~
    0160 - fc 49 43 5b 31 d4                                 .IC[1.

    Start Time: 1545180252
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
DONE
Perhaps the firmware cert is in a different directory location on the AC86U? @Jack Yaz can you confirm?

1. You can do a change directory command e.g. "cd /rom/etc/ssl/certs" to navigate to the directory. Then, issue the Linux command to list out the directory contents. Cloudflare won't let me put in the post. Here is one reference https://www.rapidtables.com/code/linux/ls.html

2. "cd /opt/var/stubby". Then "cat stubby.yml". If you have SFTP server installed, you can use client software like MobaXterm or WinSCP to get a Windows explorer view to the Linux OS. Everyone has their preference. Putty is another option.

The entware package is called ca-certificates. Install: opkg install ca-certificates

You then have to change stubby.yml to use the certificate from entware:

Code:
tls_ca_file: "/opt/etc/ssl/certs/ca-certificates.crt"

followed by a restart:

Code:
/opt/etc/init.d/S61stubby restart

Asuswrt-Merlin has a built in line editor called nano
https://www.howtogeek.com/howto/429...e-to-nano-the-linux-command-line-text-editor/
 
ok here we go...

Code:
062897@RT-AC86U-99A8:/tmp/home/root# opkg install ca-certificates
Package ca-certificates (20180409-3) installed in root is up to date.

You then have to change stubby.yml to use the certificate from entware:

Code:
tls_ca_file: "/opt/etc/ssl/certs/ca-certificates.crt"

do I add
Code:
tls_ca_file: "/opt/etc/ssl/certs/ca-certificates.crt"

to:

Code:
nano /opt/etc/stubby/stubby.yml
 
and replace this line in nano:

Code:
tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"

with:

Code:
tls_ca_file: "/opt/etc/ssl/certs/ca-certificates.crt"
??
 
and replace this line in nano:

Code:
tls_ca_file: "/rom/etc/ssl/certs/ca-certificates.crt"

with:

Code:
tls_ca_file: "/opt/etc/ssl/certs/ca-certificates.crt"
??
Yes
 
Great thank you!
 
Oh and restart stubby.
Code:
/opt/etc/init.d/S61stubby restart
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top