Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: lede.damnfbi.tk
I ran this command: acme.sh
It produced this output: created certificates normally
My web server is (include version):
local router
The operating system my web server runs on is (include version): openWRT / LEDE
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): LuCI web panel with Acme.sh page is also available
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
So I've been user of both LE and OpenWRT for about a decade now.
Something about setting it up on my home router has me stumped however.
In the past I've run acme.sh successfully to generate certificates for my router and uhttpd
but either I'm not understanding where to put those certificates after generation or the authentication step isn't happening (possible because I need to open up inbound ports to the router to allow acme.sh to communicate?) or some other oversight I'm missing.
It's been a while since I've tinkered with this, currently I can access the routers web interface via https and even get a prompt for an SSL cert that is issued from LE but I'm still getting an unsafe warning on it.
any specific steps to follow for troubleshooting where I'm going wrong would be appreciated.
Thank you for your response, it will be useful for me to know about that cert check website.
And the domain name doesn't answer, so validation via http can't work.
I think this is the part that I'm hung up on understanding. What specifically do I need to do in order to validate via http? do I need to kill (or reassign) the uhttpd to only host internally to my LAN and allow acme.sh to listen on port 80 externally so it can validate?
Is that done only once or needs to be done every 3months? are there other methods that would achieve the same goal?
Port forwarding is to send to another internal device - so, no on that.
But I asked so that you would check to ensure there is no such setting.
Yes, the firewall should accept port 80 and something needs to be there to answer the request.
Yes, acme.sh can operate in --standalone mode and respond to those HTTP requests by itself (without requiring another web service).
Ah yes of course! I'll need to open up port 80 in the router firewall to allow acme.sh to do it's thing!
Thank you for this reminder.
Feels like I'm getting closer to solving this.
So it looks like others are using scripts to enable / disable the firewall at verification time and then disable the firewall rule.
Does Acme.sh support any OTHER verification methods?
Answering my own question here:
Webroot mode (possible but messy)
Standalone mode THIS
Standalone tls-alpn mode just the same but uses https
Apache mode nope
Nginx mode nope
DNS mode possible but can't auto-renew
DNS alias mode unsure
Stateless mode
Now I just need to figure out which one works best for a router setup, I prefer open as few external ports as possible tbh.
After that I need to understand how to let the uhttpd instance know to use the correctly generated certificates and finally a way to renew them every 90 days.
You should not have to move certs around (bad idea).
Use them directly from their current location or symlink to them.
If you are only going to use acme.sh on port 80, you can leave that open all the time (nothing will answer).
/root/.acme.sh/acme.sh --list
Should show you a list of all the certs it's handling.
As for their location...
The default is: /root/.acme.sh/domain.name/
OR /root/.acme.sh/domain.name_ecc/ [for ECC certs]
If you installed acme.sh as opkg package, openwrt has own uci layer and config folder over it may not work as other acme.sh and cron runs on that layer and normal acme.sh commends will not renewed (as no cronjob for it)
opkg install acme
while 2 use acme.sh as backend, it has own things on top of it (to use it for luci-app-acme so you really shouldn't call acme.sh from terminal
Don't touch acme.sh panel, but from webpage, enable/ set domain name/ use for uhttpd
Use standalone as validation method as by default uhttpd doesnt attach on wan interface,
And open port 80 from wan side so it so LE can see the validation
that's an old version but maybe additions parameter have webroot /standalone option?
or edit /etc/config/uhtpd so it listen on port 80 (and 443, as it will redirerct to https autometially)and use webroot /www
or just run acme.sh like normal from /usr/lib/acme/acme.sh ,but it will need all the configs (but you need to create all thoses path parametser manully
for both check firewall to open right ports needed
I've already generated certs in standalone mode, I ran acme.sh --upgrade which pulls the latest version from github.
I opened port 80 on Wan interface and already modified /etc/config/uhttpd to redirect LAN http -> https as well as move internal pages interfaces to LAN accesible only (ipv4 and ipv6)
I'm using standalone mode not webroot, because I've moved everything else to LAN accessible only
you already have crt then where it is? acme.sh script save it it's own folder and install it by acme.sh --install ...
luci-app-acme will install at subfolder in state dir (keep mind it's global parameter, so it will create domainname subfolder
and your uhttpd config is wrong for cert and key path (// in middle)