How to: LetsEncrypt HTTPS on OpenWRT with uhttpd
My old router TP Link WRN740N hosting my homepage stokito.name and it’s too small to handle full LetsEncrypt certbot installer and OpenSSL. So if you want to enable HTTPS you have to run certbot on some other machine and then upload to router.
Here I would like to show how I did that.
Manual installation
The fisrt step is to use manual certs installation from my laptop and renew them after 3 month. Actually this can be automated too latter.
Now, lets generate certs for your domain:
$ sudo certbot certonly --manual --preferred-challenges http
Answer all the questions and it will ask you to upload a file to your router:
------------------------------------------------------------------------------- Create a file containing just this data: 1Fyw2Q3IARaG0G6RVUJS587HG_Ou6pKpBLZC-_KuC8g.OKKBaAC2SgfXHQyvgKrLkn3zyCNH82xHgKsMg9OQQJE And make it available on your web server at this URL: http://www.stokito.name/.well-known/acme-challenge/1Fyw2Q3IARaG0G6RVUJS587HG_Ou6pKpBLZC-_KuC8g ------------------------------------------------------------------------------- Press Enter to Continue
You need to create the folder on router:
# mkdir -p ./.well-known/acme-challenge
Then upload the files via SCP from your computer to router:
$ echo "1Fyw2Q3IARaG0G6RVUJS587HG_Ou6pKpBLZC-_KeC4g.OKKBaAC2SgfXHQyvgKrLkn3zyCNH82xHgKsMg9OQQJE" > 1Fyw2Q3IARaG0G6RVUJS587HG_Ou6pKpBLZC-_KeC4g $ scp ./1Fyw2Q3IARaG0G6RVUJS587HG_Ou6pKpBLZC-_KeC4g root@192.168.1.1:/www/.well-known/acme-challenge/1Fyw2Q3IARaG0G6RVUJS587HG_Ou6pKpBLZC-_KeC4g
BTW, there is no any analogue of WinSCP for Linux but you can try to run it on Wine.
Then go back to certbot and press Enter. It will check that files are in place and accessible from web.
- Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/stokito.name/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/stokito.name/privkey.pem Your cert will expire on 2018-01-13. To obtain a new or tweaked version of this certificate in the future, simply run certbot again.
It generated two files: privkey.pem
and fullchain.pem
(which is not public key!)
Finally, you need to convert the private key and the certificate from the ASCII-armored PEM format to the more economical binary DER format used by uhttpd:
openssl rsa -in privkey.pem -outform DER -out uhttpd.key openssl x509 -in fullchain.pem -outform DER -out uhttpd.crt
Upload them to the router
$ scp uhttpd.crt root@192.168.1.1:/etc/uhttpd.crt $ scp uhttpd.key root@192.168.1.1:/etc/uhttpd.key
On the router you need to install uhttpd-mod-tls:
# opkg update # opkg install uhttpd-mod-tls
edit /etc/config/uhttpd as described in docs i.e. like this
config uhttpd 'stokito.name' list listen_http '31.172.137.103:80' list listen_https '31.172.137.103:443' option redirect_https '1' option home '/www' option rfc1918_filter '0' option cert '/etc/uhttpd.crt' option key '/etc/uhttpd.key'
Here 31.172.137.103 is my public static IP.
Note that 443 port should be opened in /etc/config/firewall
:
config rule option target 'ACCEPT' option src 'wan' option proto 'tcp' option dest_port '443' option name 'HTTPS'
Then restart the firewall and uhttpd server:
# /etc/init.d/firewall restart # /etc/init.d/uhttpd restart
Now try your site in browser. But please check your site latter: I noticed that uhttpd was down but after restart it worked well.
Renewing cert
… So it passed 3 months and my cert got expired and I need to renew it. It’s funny that today is an Old New Year and from window I hear some concert on my street.
This time I decided not to use manual mode and use standalone mode instead: certbot starts itself an https server on 443 port and I need to shut down webserver on my router and enable 443 port forwarding from router to my laptop.
So let’s do that:
1. Connect to router and stop uhttpd
service:
$ ssh root@192.168.1.1 # /etc/init.d/uhttpd stop
- Enable 443 port forwarding. Download firewall config from router:
$ scp root@192.168.1.1:/etc/config/firewall ./
- Edit and comment out current rule for 443 port. If you used that one that I mentioned before then:
# temporarry comment out the rule #config rule # option target 'ACCEPT' # option src 'wan' # option proto 'tcp' # option dest_port '443' # option name 'HTTPS'
Then add a HTTPS forwarding rule:
config 'redirect' option 'name' 'HTTPS_to_laptop' option 'src' 'wan' option 'proto' 'tcp' option 'src_dport' '443' option 'dest_ip' '192.168.1.144' option 'dest_port' '443' option 'target' 'DNAT' option 'dest' 'lan'
Where 192.168.1.144
is the ip of the your laptop. Run ifconfig
to see it.
- Upload the new firewall config to router:
$ scp ./firewall root@192.168.1.1:/etc/config/
- Now restart firewall service on router:
# /etc/init.d/firewall restart
- Now your laptop’s 443 port is exposed to the world. So lets tun certbot:
$ sudo certbot certonly --standalone --preferred-challenges tls-sni --cert-name=stokito.name
- Then convert the keys do DER format and upload to router as was described above. Then disable forwardind firewall rule and rollback previous and restart firewall and uhttpd.
Now you certs was renewed.
gFTP?
it doesn’t supports SCP too