RT-AC68U router with Merlin certificate invalid

bradetter · April 26, 2023, 3:37pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
workgroup=KJEBDE
DDNS=bbkehome.asuscomm.com (verified with nslookup)

I ran this command:
Asus RT-AC68U Merlin firmware generated the Let's Encrypt certificate for use with above DDNS

It produced this output:
router generated certificate and key just fine, with no errors.
Firefox gave SSL_ERROR_BAD_CERT_DOMAIN when trying to connect to the router (after I imported the above certificate)

My web server is (include version):
Firefox 112.0.2 (64-bit)

The operating system my web server runs on is (include version):
Windows 7 Home Premium (same results on a Windows 10 laptop)

My hosting provider, if applicable, is:
Asus RT-AC68U with Merlin firmware #: 386.10

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Using Windows certmgr for the laptop

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not listed

MikeMcQ · April 26, 2023, 3:52pm

Welcome @bradetter

When did you generate the cert? Because I don't see it in the public logs (link here)

Sometimes there may be a lag of up to 24H so if recent it may not be there.

But, I don't see that domain name in the public DNS either. You said you see it in nslookup but I do not using your authoritive DNS server

nslookup bbkehome.asuscomm.com ns1.asuscomm.com
Server:         ns1.asuscomm.com
Address:        52.250.42.40#53

** server can't find bbkehome.asuscomm.com: NXDOMAIN

Osiris · April 26, 2023, 4:41pm

I concur with Mikes findings: the subdomain does not exist in the nameservers of asuscomm.com.

Also, why would you import a certificate into your Firefox? For publicly trusted certificates such as from Let's Encrypt that would not be necessary. Your router might have generated a cert from some kind of self-signed certificate, routers tend to do that.

rg305 · April 26, 2023, 5:41pm

Please show the complete nslookup request and output.

Imported it into what/where?
Please show the public cert that was imported.

system · May 26, 2023, 5:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.