ASUSWRT renew not working

Hello,

I have an ASUS router with firmware version 3.0.0.4.386_42643. I had issued a Let's Encrypt certificate in the past, but in the last 3-4 years I haven't used it for years due to some difficulties on using the ISP router on bridge mode. The option to use a Let's Encrypt certificate was disabled. Now, I figured it out and I have my router's WAN address assigned with an internet valid dynamic IP address (using No-IP as DDNS).
I tryed to issue a new certificate by selecting the option for LE and hitting apply. But all it does is to show the information for the expired certificate (see below).
Status: Active
Issued to: xxxx.xxxxxx.xxx
Issued by : Let's Encrypt
Expires on : 2020/10/18

I did some research and you have a document/post stating the we should keep port 80 open, and it seems port 443 too. But in this router, it doesn't allow external access with HTTP, so I can't change it, and for HTTPS it requires a port number in a higher range, not being possible to have 443 open either. I suspect this might be what's blocking the certificate renew.
In any case, since it is supported by the router, I expected that it would work with any port assigned in the range they restrict.

Even if I use one of the suggested methods/applications to manually issue a new certificate, I guess it won't work because LE would try to connect to port 443 (is this statement correct?), and my router doesn't accept it nor I have a webserver in my PC on my LAN.

Please, advise how to renew my certificate.

Thank you,
Paulo

1 Like

Welcome @siqueira

I think your question would be better asked at an Asus Router support forum. Asus and other users of that know how that should work better than we would.

But, if you have not seen them yet, these doc sections for Let's Encrypt should help you better understand how it should work. The first two topics here are good start

And this section talks more about how the challenges work with the ports

4 Likes

If your router isn't publicly reachable on port 80 (for challenge http-01) or 443 (for challenge tls-alpn-01) then you need to use the dns-01 challenge (I doubt it will work on no-ip).

There is a reason why low numbered/default ports are required, it's to verify you actually control the machine responding to the requests. Any user could host stuff on port 23456, only root, or root-allowed can do so on 80 and 443.

4 Likes

It makes sense. I wonder why Asus create this automatic LE certificate process when they know that ports 80/443 are required, and at the same time doesn't allow these ports to be used.

I'll keep investigating.

Thanks

3 Likes

MikeMcQ,

Thanks for the indication. I'm reading the docs. Based on your answer and 9peppe's, I really should ask this on Asus forum. If I get any clues or solve the issues, I'll post them here.

Thanks.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.