TLS/SSL certificates for a server

Transport_Layer_Security (TLS, formerly called SSL) is used to encrypt and protect communication. When a webserver works with regular HTTP protocol i.e. its address starts with http but over the encrypted TLS this called HTTPS and a site address starts with https. For all HTTPS sites a web browser shows a lock icon in an address bar. For enabling HTTPS for a website's domain we need a private key and it's TSL certificate that was signed by a Certificate Authority (CA).

The OpenWrt admin site LuCI by default supports the HTTPS so you can open it with httpS://192.168.1.1/. But it's certificate is self signed and not verified by a CA so your browser will show a warning.

You can buy a TLS cert but nowadays the Let's Encrypt CA allows to sign and verify certificates for free with a certbot program that uses ACME protocol. The only problem is that the certificate will have a short period of validity and you have to configure certificate renewal.

There is few ACME clients that automates the cert issuing:

• certbot is an official ACME client that is feature rich but is too heavy for small OpenWrt routers.
• acme.sh is small ACME client that uses shell script and has a LUCI app to configure. This is a recommended for OpenWrt.
• uacme lightweight ACME client written in plain C with minimal dependencies: libcurl and one of MbedTLS, OpenSSL or GnuTLS.
• Many others ACME Client Implementations

If you have already taken care of certificate automation see also Installing a publicly trusted certificate.

See acme.sh

See HTTPS Enable and Certificate Settings and Creation or Getting rid of LuCI HTTPS warnings.

See Installing and trusting a root CA certificate in a PKI

You can use CloudFlare.com as a proxy that will terminate TLS and forward requests to your router with HTTP or HTTPS with a self signed certificate. Some tunnels like PageKite or localhost.run are working through HTTPS.