Certificate not updating anymore Asus Router

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
brutus.asuscomm.com

Product:
Asus RT-AC68U

I ran this command:
After enabling the DDNS option with “Free Certificate from Let’s Encrypt”

Syslog output:
Oct 8 11:50:00 crond[238]: USER admin pid 1204 cmd service restart_letsencrypt
Oct 8 11:50:00 rc_service: service 1205:notify_rc restart_letsencrypt
Oct 8 11:50:11 kernel: /usr/sbin/acme-client: SSL_read return 5: Success
Oct 8 11:50:11 kernel: /usr/sbin/acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: bad comm
Oct 8 11:50:11 kernel: /usr/sbin/acme-client: transfer buffer: [{ “_lmxCBKOwzw”: “Adding random entries to the directory”, “key-change”: “https://acme-v01.api.letsencrypt.org/acme/key-change”, “meta”: { “caaIdentities”: [ “letsencrypt.org” ], “terms-of-service”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”, “website”: “https://letsencrypt.org” }, “new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”, “new-cert”: "https://acme
Oct 8 11:50:20 kernel: /usr/sbin/acme-client: SSL_read return 5: Success
Oct 8 11:50:20 kernel: /usr/sbin/acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: bad comm
Oct 8 11:50:20 kernel: /usr/sbin/acme-client: transfer buffer: [{ “_lmxCBKOwzw”: “Adding random entries to the directory”, “key-change”: “https://acme-v01.api.letsencrypt.org/acme/key-change”, “meta”: { “caaIdentities”: [ “letsencrypt.org” ], “terms-of-service”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”, “website”: “https://letsencrypt.org” }, “new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”, “new-cert”: "https://acme
Oct 8 11:59:00 crond[238]: USER admin pid 1535 cmd service restart_letsencrypt

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
I can SSH to the router

The router status for Server Certificate:
Status: updating
issued to: 192.168.1.1
issued by: 192.168.1.1
Expires on: 2029/10/8

It worked for 6 months now. But the 3rd renewal doesn’t work.
I already removed the expired certificate in the router.

Followed all the steps from this manual:
Manual Asus

Greetings.

1 Like

Hi @Brutus

if you have such an error “bad comm”, it looks like an internal problem of that Letsencrypt client. Isn’t there an update?

Oh, wait: new-reg - new registration. Acme.v.1 is deprecated, may be not longer supported.

Yep, read

We will be beginning brown-outs for new ACME v1 registrations for the production environment for the following dates of this year:

  • October 10th to October 11th
  • October 16th to October 18th
  • October 31st onward

We will be permanently disabling new ACME v1 registrations in the production environment on October 31st .

So you may create a new account in the next days. But later you need an update.

But that’s wrong, because today isn’t the 10.10.

But “new-reg” + bad command is an internal problem of your client.

And your port 80 doesn’t answer.

2 Likes

Oke… Thank you, then I’ll need to contact Asus.
I already installed the latest firmware update today. I can’t do anything else because its build in the router Firmware.

4 Likes

Yes, that’s the problem. Other users use an own client and have configuration errors. But such an integrated solution … if there is a “bad command” creating a new reg - nobody knows what that client is doing.

1 Like

Conclusion

So, to conclude, ASUS router with Letsencrypt option is not valid any more. Close the router from secure operation from internet! Choose between LAN-only operation or insecure WAN-operation of administrative interface.
Sadly, I don´t know how to delete the insecure Letsencrypt cettificate, expiring in ten years, the router has changed the 90-days earlier certificates with. Have access with Winscp/ssh but can´t change the permissions from read only…

1 Like

It sounds like a lot of people will be having trouble with this issue. It would be helpful to contact ASUS to make sure that they’re aware of it and have a plan to address it (hopefully via a new firmware release).

Alternatively, it might be worth investigating whether any third-party router firmware can run on these devices, if ASUS doesn’t want to make an update available with a client that supports ACMEv2. There is some really nice third-party router firmware out there, although its hardware support can be very specific.

2 Likes

I have a third party firmware already (Asus-Merlin), good until Acme became v2. So I suppose it is the same problem as in original Asus-firmware…

Two possible ways for me: close down WAN admin in Asus 3200 or, in a couple of months, buy the Asus AX88U which has more recent firmware updates (Asus-Merlin).

ASUS is well aware that their firmware needs an update to ACME v2. I personally sent them a message (including a link to this page) via their Twitter, and they responded that they have forwarded it to their developers. The author of ASUS-Merlin has also confirmed that they’re aware of it. Why it’s taking them so long to update to v2 makes no real sense, since they have a team of developers working on it. I think they’re just slacking IMHO.

This slow development time is something to keep in the back of your minds when deciding on which routers to buy in the future.

I am having exactly the same problem on a Asus 68U running the latest version of Merlin. I suspect the ACME 1 v 2 issue is beyond Merlin’s capabilities. The work around unfortunately - from a LetsEncrypt position - is to install ‘pixelserv-tls’ which can issue its own certificate that will allow HTTPS status. This will need the use of a dedicated USB stick and is probably easiest done using either the Entware or Diversions package.

2 Likes

I had this problem this morning with my AC66U_B1. For some reason my ASUS iPhone app didn’t complain about the problem, but it did notify me that a firmware update is available to address Let’s Encrypt problems. I updated the firmware and all is now well.

2 Likes

Hello, I am now testing ASUSWRT-Merlin v384.14 Beta 2 and I can confirm that ACME v2 is now in place on my ASUS AC88U and my Let’s Encrypt certificate has been renewed. Still my websites hosted behind NAT show a valid certificate with the green lock on the HTTPS, but my ASUS web interface shows the “NOT SECURE” warning, stating the certificate is not valid, although it is valid through 3/3/2020 and when clicking on it, it says it is OK.

Hi @elfhelmp

thanks for sharing these infos.

Perhaps your router needs a reboot to use the new certificate.