Failing to understand acme.sh for OpenWRT / LEDE

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: lede.damnfbi.tk

I ran this command: acme.sh

It produced this output: created certificates normally

My web server is (include version):
local router

The operating system my web server runs on is (include version): openWRT / LEDE

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): LuCI web panel with Acme.sh page is also available

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


v2.8.8

So I've been user of both LE and OpenWRT for about a decade now.
Something about setting it up on my home router has me stumped however.
In the past I've run acme.sh successfully to generate certificates for my router and uhttpd
but either I'm not understanding where to put those certificates after generation or the authentication step isn't happening (possible because I need to open up inbound ports to the router to allow acme.sh to communicate?) or some other oversight I'm missing.

It's been a while since I've tinkered with this, currently I can access the routers web interface via https and even get a prompt for an SSL cert that is issued from LE but I'm still getting an unsafe warning on it.

any specific steps to follow for troubleshooting where I'm going wrong would be appreciated.

Hi @Loki

checking that domain name - there is no new certificate - see https://crt.sh/?q=lede.damnfbi.tk

Only one from 2019-12-22, already expired.

So you didn't create a certificate.

And the domain name doesn't answer, so validation via http can't work.

There is a second certificate - mail.damnfbi.tk - https://crt.sh/?id=3477052876 - created 2020-10-07.

Difficult to say clearly from where I'm sitting...
But does the router port forward 80?
Is there a firewall that needs to be opened?

Thank you for your response, it will be useful for me to know about that cert check website.

And the domain name doesn't answer, so validation via http can't work.

I think this is the part that I'm hung up on understanding. What specifically do I need to do in order to validate via http? do I need to kill (or reassign) the uhttpd to only host internally to my LAN and allow acme.sh to listen on port 80 externally so it can validate?

Is that done only once or needs to be done every 3months? are there other methods that would achieve the same goal?

Should I be port forwarding or just allowing acme.sh to listen on port 80 of the router?

Port forwarding is to send to another internal device - so, no on that.
But I asked so that you would check to ensure there is no such setting.

Yes, the firewall should accept port 80 and something needs to be there to answer the request.
Yes, acme.sh can operate in --standalone mode and respond to those HTTP requests by itself (without requiring another web service).

Ah yes of course! I'll need to open up port 80 in the router firewall to allow acme.sh to do it's thing!

Thank you for this reminder.

Feels like I'm getting closer to solving this.

So it looks like others are using scripts to enable / disable the firewall at verification time and then disable the firewall rule.

Does Acme.sh support any OTHER verification methods?
Answering my own question here:

  • Webroot mode (possible but messy)
  • Standalone mode THIS
  • Standalone tls-alpn mode just the same but uses https
  • Apache mode nope
  • Nginx mode nope
  • DNS mode possible but can't auto-renew
  • DNS alias mode unsure
  • Stateless mode

Now I just need to figure out which one works best for a router setup, I prefer open as few external ports as possible tbh.

After that I need to understand how to let the uhttpd instance know to use the correctly generated certificates and finally a way to renew them every 90 days.

1 Like

So I seem to have generated a cert now but it's still coming up invalid when I attempt to login to my router's web interface.

Any idea if I need to move the cert internally to a location?

You should not have to move certs around (bad idea).
Use them directly from their current location or symlink to them.
If you are only going to use acme.sh on port 80, you can leave that open all the time (nothing will answer).

/root/.acme.sh/acme.sh --list
Should show you a list of all the certs it's handling.
As for their location...
The default is:
/root/.acme.sh/domain.name/
OR
/root/.acme.sh/domain.name_ecc/ [for ECC certs]

If you installed acme.sh as opkg package, openwrt has own uci layer and config folder over it may not work as other acme.sh and cron runs on that layer and normal acme.sh commends will not renewed (as no cronjob for it)

1 Like

sorry I'm not understanding your answer, can you explain what I'd need to change?

which way you installed acme.sh on your router?

  1. wget or curled from github
  2. opkg install acme
    while 2 use acme.sh as backend, it has own things on top of it (to use it for luci-app-acme so you really shouldn't call acme.sh from terminal
1 Like

ah yes I installed via opkg and also have luci-app-acme, so what should I do to fix it?

Don't touch acme.sh panel, but from webpage, enable/ set domain name/ use for uhttpd
Use standalone as validation method as by default uhttpd doesnt attach on wan interface,
And open port 80 from wan side so it so LE can see the validation

1 Like

so I've done amost of that already, should I uncheck the box that says use for uhttpd ?

that's an old version but maybe additions parameter have webroot /standalone option?
or edit /etc/config/uhtpd so it listen on port 80 (and 443, as it will redirerct to https autometially)and use webroot /www

or just run acme.sh like normal from /usr/lib/acme/acme.sh ,but it will need all the configs (but you need to create all thoses path parametser manully

for both check firewall to open right ports needed

I've already generated certs in standalone mode, I ran acme.sh --upgrade which pulls the latest version from github.

I opened port 80 on Wan interface and already modified /etc/config/uhttpd to redirect LAN http -> https as well as move internal pages interfaces to LAN accesible only (ipv4 and ipv6)

I'm using standalone mode not webroot, because I've moved everything else to LAN accessible only

What other parameters do you mean?

you already have crt then where it is? acme.sh script save it it's own folder and install it by acme.sh --install ...
luci-app-acme will install at subfolder in state dir (keep mind it's global parameter, so it will create domainname subfolder
and your uhttpd config is wrong for cert and key path (// in middle)

Why not check the "Use Staging Server" box - while you PLAY with this?