ASUS ROG AC-5300 Router Stuck on Updating even after Factory Reset

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:fiercepierce.asuscomm.com

I ran this command:Chose Let’sEncrypt Certificate Option

It produced this output:Updating

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: asuscomm.com

I can login to a root shell on my machine (yes or no, or I don’t know): Maybe?

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Webpage of Router

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): No idea

Hi @Latiron

there are some checks of your domain, there you see the problem - https://check-your-website.server-daten.de/?q=fiercepierce.asuscomm.com

Domainname Http-Status redirect Sec. G
http://fiercepierce.asuscomm.com/
69.5.206.66 -14 10.027 T
Timeout - The operation has timed out
https://fiercepierce.asuscomm.com/
69.5.206.66 -14 10.014 T
Timeout - The operation has timed out
http://fiercepierce.asuscomm.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
69.5.206.66 -14 10.013 T
Timeout - The operation has timed out
Visible Content:

Your router doesn't answer, only timeouts. So you can't create a Letsencrypt certificate.

But there are no older Letsencrypt certificates with that domain name. So it's your first certificate.

PS: I don't use that router. But after a factory reset -> first update the Router OS. If not, you may use an outdated Letsencrypt client.

Sorry, I don’t understand. I see the reply you sent with the timeout listed, but what does the timeout have to do with this being a 1st certificate?

You need a running webserver. And your webserver must be visible.

Read some basics:

It’s your first certificate, so it’s not an certificate update. So your configuration may have general errors.

Hi @Latiron.

You have a working certificate at https://fiercepierce.asuscomm.com:8443/ (LetsEncrypt)

You also have a functional ftp server running on port 21 (not FTPS or SFTP) (Not Encrypted)
([ftp://fiercepierce.asuscomm.com]) at least asks for credentials)

However, your router is not configured to answer on ports 80 or 443.

Can you describe what you are trying to accomplish in more detail please?

Rip

1 Like

Ah, that's new. The check this morning - https://check-your-website.server-daten.de/?q=fiercepierce.asuscomm.com#portchecks

A self signed certificate was found:

CN=10.200.14.1, C=US
	01.09.2019
	01.09.2029
expires in 3653 days	

There is an older thread here that might help secure the ftp port. Or at least motivate @Latiron to look into it. Ftp + le = ftps? .

I’m not an expert on the ASUS AC-5300 but I suspect FTPS can be achieved with some research.

Rip

Okay, maybe it’s just a lost in translation thing from you to me, but it’s not my router. This was working fine when I was with my other ISP and showed activated and good for 90 days like Let’sEncrypt states.

Then due to circumstances outside my control, being that my former ISP sucked and would never fix their issues, I switched to using my AT&T mobile hotspot which was NAt’d causing me to be double NAT’d, and left my DDNS off due to this. I recently got onto a new ISP, (living in the country here in Texas, USA, we have very limited choices unless we want to use Satellite service - Never gonna happen) and I was having to go round and round with ASUS just for them to release my DDNS name from the old ISP’s IP address I had. Was just recently that ASUS, asuscomm.com, finally got their act together and released the IP from the DDNS name I registered with them. So, everything was working normally as far as the DDNS name to IP address was concerned, but the Let’sEncrypt went into this Updating mode.

I had been waiting to hear back from my new ISP as to what ports they may or may not be blocking on my Static IP address. Come to find out, they were indeed actually blocking port 80.

All this has transpired since I created my initial post here. I’ve been in IT System Administration for over 25+ years, so I know a bit about what I am doing, but since I don’t control my ISP or how they configure or setup their issued IP addresses, I had to wait for an answer.

And thanks for the “rip”, Rip, on needing to be motivated to secure my FTP port or move to FTPS. I have been doing some testing, and between my router and this new ASUSTOR device, I have temporarily enabled Port 21 for FTP access between the two. But thanks for the encouragement to not leave open an unsecured port to the outside world. :wink:

So, with all this said and done, this post can be closed with the answer being the following for other folks having a similar issue in the future:

My new ISP was in fact blocking inbound traffic on Port 80. I got a notice from the owner of the ISP this morning that he updated my IP to allow inbound traffic on Port 80. So, once he enabled that, my router’s Let’sEncrypt changed from Updating to OK and I have my 90 certificate once again working.

So, I guess you could say my post was a bit overzealous and I should have had a bit more patience. But I’m in IT, so patience is always a bit lacking.

Thanks for the comments and for trying to look into my issue.

Lat

2 Likes

Ah, thanks for reporting back, that’s helpful.

So a Texas ISP normally blocks port 80. But it’s possible to open port 80, so Letsencrypt validation works.

Please don’t read to much into the Texas thing. You being from outside the US, I was just trying to make sure I included my location to help with the assist. And my ISP is a very small, local company who provides Internet service, mainly, to rural families. I actually worked with the owner of this ISP, when we were both working for IT departments at Texas A&M University, so I know he is security aware and wants to do the best by his customers, so opening any inbound traffic that is not necessary wouldn’t be in either’s best interest. But my Let’sEncrypt is back up and working, which is the important issue for me. And once I have finished my test, I will be doing my due diligence by disabling FTP on my router and closing port 21. Thanks again for the assistance.

Lat

1 Like

I’m having the same issue with the same router. I had to factory reset my router and now it’s stuck on “Updating”.

My domain is: joelviana.asuscomm.com

The firmware on the router is: 3.0.0.4.384_81099

This is showing up on the logs: http://txt.do/108o7

Any help would be much appreciated.

Can someone give me some insight into this?
I’ve checked and my port 80 is NOT blocked. What else can I check?

Hi @jmjviana

such routers have own ACME-clients, these are “closed worlds”. So if an update doesn’t work, it’s nearly impossible to find an answer.

Your port 80 is open, /.well-known/acme-challenge/random-filename has the correct answer, http status 404 - Not Found - https://check-your-website.server-daten.de/?q=joelviana.asuscomm.com

You have the newest firmware.

So it may be a bug in that ASUS client.

Check, if there is an ASUS forum you can ask.

I had this exact same issue. Turned out that my ISP had port 80 incoming blocked. After I requested they open it, my updating status changed and I’m fully activated now.

But the port of joelviana.asuscomm.com answers, so the port isn't blocked.

And there is a change:

With some untypical effects - "post" doesn't work, "POST" is required. An old client may use the wrong verb.

Anything I could do on my end or is this something just ASUS can workout with new firmware? Is there a way I can manually do a certificate myself and import it to ASUS router instead? :thinking:
Thanks very much for your help so far! :slightly_smiling_face:

You can try another client on another machine.

Certbot has a certonly option, so you can create a certificate, but Certbot doesn't install it.

If the router has an upload option, you can use it.

And you can always use --manual and dns-validation. That's hard, but it should always work.

Read

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.