ASUS Router feature, Let's Encrypt

Hello:

Anyone have any idea why this won’t fly?

Using ASUS owned DDNS myname.asuscomm.com

Updated in ASUS88U with the Let’s Encrypt option with port 80 open.

GUI is stuck at “Updating”

Log: [{ “type”: “urn:acme:error:unauthorized”, “detail”: “Error creating new cert :: authorizations for these names not found or expired: myname.asuscomm.com”, “status”: 403 }]

Thank you,

Hi @Radon,

Can you share the real domain name in question?

You may have to open an issue with ASUS Support about this. It seems as though this could be indicative of a bug in their ACME Let’s Encrypt integration.

Thank you sir, radon64.asuscomm.com

Hi again @Radon,

Thanks for sharing your domain name.

I went and looked in our server-side logs to try and determine what the ASUS ACME client was doing. You should definitely open a support ticket with ASUS, there is a bug with their ACME client.

I went back to the earliest requests for your domain in our logs. Here is some information you can share with them from the first failure:

  • At 2018-01-29T19:42:28 the ASUS ACME client POSTed new-authz for the identifier radon64.assuscomm.com, getting back a pending authorization object.
  • At 2018-01-29T19:42:29 the ASUS ACME client POSTed the HTTP-01 challenge of the pending authorization, asking Let’s Encrypt to validate the authorization.
  • At 2018-01-29T19:42:34 before the validation attempt was completed, the ASUS ACME client POSTed new-cert, sending a CSR for radon64.assuscomm.com. Since the authorization for this domain wasn’t valid, the "Error":"authorizations for these names not found or expired: radon64.asuscomm.com" result is returned to the client
  • At 2018-01-29T19:42:39 the validation attempt from our side fails with a timeout error: "Error":"connection :: Fetching http://radon64.asuscomm.com/.well-known/acme-challenge/<token>: Timeout"

Since then the same pattern has repeated a few times: creating a new authz, starting the HTTP-01 challenge, asking for a cert before the authorization is valid and failing, and then the HTTP-01 challenge timing out.

Most recently all further attempts have been getting back: :["429 :: rateLimited :: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/"] because too many failures have occurred.

The fix for this problem will have to be provided on the ASUS side. They should not be trying to issue a certificate with new-cert until all required authorizations are valid.

Hope this helps!

3 Likes

Thank you so much! I have your reply copied and will open a ticket with ASUS.

1 Like

Ticket open with ASUS and elevated to engineers, “Your case number is N1801160243.”

Thank you again.
Radon

1 Like

Hello:

I have been working with ASUS but have repeating issues thus far. Honestly maybe it’s me as in the instructions is the one liner, “Apply Signed Certificate.” Is there something I can do with shell access, Putty, and WinACP? Sorry for being a bit on the green side with this.

There are lots of tools to get a certificate, but there’s no particular guarantee that they’ll work with your device, especially if it doesn’t allow you to either export a CSR or import a private key together with a certificate. @cpu’s analysis of the interaction between the existing software on your device and the CA really seems to suggest a bug in that software—which in theory ASUS ought to be able to diagnose and fix. :slight_smile:

2 Likes

Thank you, so far they have sent me the original instructions. Maybe they’ll get it or come up with a new firmware that fixes it. I know they have millions of customers.

Hi @Radon,

I’m sorry to hear that ASUS hasn’t been able to help with a solution yet. Thanks for posting back here with an update.

Hi guys
Same thing for me…
I just updating my firmware on my RT-AC3100 (3.0.0.4.384_20379)
but it is the same

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.