Do you like the security of using LuCi-SSL (or Luci-SSL-OpenSSL), but sick of the security warnings your browser gives you because of an invalid certificate?
With these instructions, you can generate your own self-signed certificate, which your browser will accept as valid.
One new headache was that, browsers usually only look at one key part of a self-signed certificate, the CN (common name). However, starting with Chrome version 58, it not only looks at the CN (common name) in the certificate, but also at the SAN (subject alt name or DNS name), which makes generating a certificate more complicated than before. You might have even had a certificate you made yourself, that worked until recently, stop working when Chrome 58 was released and most likely automatically updated and installed.
So, to get rid of the annoying “Warning, this is an insecure site, do you want to proceed?” warning messages, and other similar messages from other browsers, proceed with the following.
I know it looks long, but it's easy and goes fast. Should take about 10 minutes tops.
opkg update && opkg install openssl-util luci-app-uhttpd
/etc/ssl/myconfig.confwith the following content:
[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no string_mask = utf8only [req_distinguished_name] O = OpenWrt OU = Home Router CN = LuCI WebAdmin [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = luci.openwrt IP.1 = 192.168.1.1
openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout mycert.key -out mycert.crt -config myconfig.conf
This will create two files,
/etc/config/uhttpdis automatically backed up.
apt-get install libnss3-tools
mycert.crtfile or adjust the
certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n LuCi -i mycert.crt
All the credit for the creation of this walk-through goes to @StarCMS who originally posted this in @Davidc502's thread. Minor changes and wiki formatting by @mariano.silva ( firstname.lastname@example.org )