Why do I need a Let's Encrypt certificate?

[jsbeddow]

Can someone refresh my memory on why we need the whole Let's Encrypt certificate in the first place? Presumably we only care about this if we insist on enabling https: access to the router and are shutting off simple http: access, right?

 

[bennor]

Might depend on the router. For some the Lets Encrypt cert is use for the DDNS feature. For other routers it may also be used to access the GUI if the GUI is configured for HTTPS access.
[Troubleshooting] How to fix opening ASUS Router WEB GUI appears “Your connection is not private”
[Wireless Router] DDNS introduction and set up

 

[jsbeddow]

Thanks, I guess in my case I have never really needed either one. My DDNS seems to update just fine (OpenDNS) without needing a certificate, so is this only for the Asus DDNS service?

 

[bennor]

... so is this only for the Asus DDNS service?

While the Lets Encrypt is generally for the DDNS service, if you see the "opening in web browser" link above they talk about using the Lets Encrypt DDNS certificate to access the router using HTTPS. See this link to the specific section talking about Lets Encrypt:
https://www.asus.com/us/support/FAQ/1034294/#lets

 

[jsbeddow]

While the Lets Encrypt is generally for the DDNS service, if you see the "opening in web browser" link above they talk about using the Lets Encrypt DDNS certificate to access the router using HTTPS. See this link to the specific section talking about Lets Encrypt:
https://www.asus.com/us/support/FAQ/1034294/#lets

Yes, sorry I worded that phrase poorly, I understand that it also is needed for https access to the router configuration pages.

That still seems to me to be overkill, as it really should only be accessible from inside my own lan, where if I need to be that concerned about http: vs. https: access then I've got bigger problems to address first.

 

[sfx2000]

That still seems to me to be overkill, as it really should only be accessible from inside my own lan, where if I need to be that concerned about http: vs. https: access then I've got bigger problems to address first.

Browsers are getting more strict over time - self-signed certs are robust, but the browsers don't care as they're not issued by real CA's...

Let's Encypt sorts that issue with the browsers...

 

[Martinski]

Can someone refresh my memory on why we need the whole Let's Encrypt certificate in the first place? Presumably we only care about this if we insist on enabling https: access to the router and are shutting off simple http: access, right?

Yes, on the router, the "Let's Encrypt" certificate is really intended only for accessing the router's webGUI using the HTTPS protocol via a regular web browser *without* getting the now all-too-common "Not Secure" warning messages (e.g. "Your connection is not private" or "Warning: Potential Security Risk Ahead").

I believe the confusion or misunderstanding that many people have WRT "needing" a "Let's Encrypt" (LE) certificate with their DDNS service setup is due to the fact that those two items are found on the same webGUI page, and when a DDNS service account has been enabled & configured on the router, the LE certificate is then issued for the domain/hostname that was set up in the DDNS configuration. I'm guessing that this is done because ASUS assumes that you're going to enable access to the webGUI over the WAN (hence HTTPS), and for this scenario to work you likely need a DDNS service since your WAN IP address is most likely dynamic (unless you're explicitly paying for a static public IP address, your ISP can change your WAN IP at any time, for any reason).

So given the above scenario, it does appear as though the DDNS service requires the LE certificate, but that's incorrect. One can in fact set up the DDNS service account and have it working successfully without ever needing any website certificate. For example, you can enable & configure an OpenVPN server and use the "Hostname" that was set up for your DDNS account as the "remote" option argument, and it works without any LE certificate - no need to allow access to the webGUI over the WAN either.

My 2 cents.

 

[Ripshod]

Can someone refresh my memory on why we need the whole Let's Encrypt certificate in the first place? Presumably we only care about this if we insist on enabling https: access to the router and are shutting off simple http: access, right?

My assumption, going on all the questions I've seen answered previously, is "because it's there".

 

[BGood]

I want to resurrect this thread, please, because I'm still confused. I have external access to my router turned OFF, except through OpenVPN, on my Asus running Merlin 3004.388.4. I turned on HTTPS: only, configured Let's Encrypt, and set up DDNS. The main Asus Merlin "dashboard" shows my DDNS name.

I cannot access it via that name from any browser on my internal LAN. For example, on my wired PC, I got:
[redacted].asuscomm.com refused to connect.

I can access the router via its internal IP address, but then I have to add an exception to go there because:
This server couldn't prove that it's 192.168.5.1; its security certificate is from [redacted].asuscomm.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Should I be able to access the router from inside my LAN using the [redacted].asuscomm.com? Or is this only used if I want to turn on access to the router when I'm outside the LAN? (I really don't think I want the latter.)

By the way, from a CMD prompt, I can ping [redacted].asuscomm.com and get replies from my WAN IP address.

 

[bluzfanmr1]

I want to resurrect this thread, please, because I'm still confused. I have external access to my router turned OFF, except through OpenVPN, on my Asus running Merlin 3004.388.4. I turned on HTTPS: only, configured Let's Encrypt, and set up DDNS. The main Asus Merlin "dashboard" shows my DDNS name.

I cannot access it via that name from any browser on my internal LAN. For example, on my wired PC, I got:
[redacted].asuscomm.com refused to connect.

I can access the router via its internal IP address, but then I have to add an exception to go there because:
This server couldn't prove that it's 192.168.5.1; its security certificate is from [redacted].asuscomm.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Should I be able to access the router from inside my LAN using the [redacted].asuscomm.com? Or is this only used if I want to turn on access to the router when I'm outside the LAN? (I really don't think I want the latter.)

By the way, from a CMD prompt, I can ping [redacted].asuscomm.com and get replies from my WAN IP address.

It's been a long time but I thought I had a similar issue and the solution was to add the following line in the "Custom Configuration" of your VPN Server setup, using your DDNS name for xxxx.xx.xx:

local xxxx.xx.xx

If I am mistaken in my memory of this and it doesn't work, I apologize.

 

[Ripshod]

I want to resurrect this thread, please, because I'm still confused. I have external access to my router turned OFF, except through OpenVPN, on my Asus running Merlin 3004.388.4. I turned on HTTPS: only, configured Let's Encrypt, and set up DDNS. The main Asus Merlin "dashboard" shows my DDNS name.

I cannot access it via that name from any browser on my internal LAN. For example, on my wired PC, I got:
[redacted].asuscomm.com refused to connect.

I can access the router via its internal IP address, but then I have to add an exception to go there because:
This server couldn't prove that it's 192.168.5.1; its security certificate is from [redacted].asuscomm.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Should I be able to access the router from inside my LAN using the [redacted].asuscomm.com? Or is this only used if I want to turn on access to the router when I'm outside the LAN? (I really don't think I want the latter.)

By the way, from a CMD prompt, I can ping [redacted].asuscomm.com and get replies from my WAN IP address.

It's normally only used for WAN access.
However, I said normally. If you go into your LAN settings you can set it thus (using your example):

Just like accessing from the WAN, LAN access is by using your DDNS domain. As the domain is correct your cert would work fine.

 

[BGood]

It's normally only used for WAN access.
However, I said normally. If you go into your LAN settings you can set it thus (using your example):

View attachment 56013

Just like accessing from the WAN, LAN access is by using your DDNS domain. As the domain is correct your cert would work fine.

Well, I gave this a try, but nothing changed, unfortunately:

Unable to connect

An error occurred during a connection to [redacted].asuscomm.com.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the web.