TLS/SSL certificates for a server

Transport_Layer_Security (TLS, formerly called SSL) is used to encrypt and protect communication. When a webserver works with regular HTTP protocol i.e. its address starts with http but over the encrypted TLS this called HTTPS and a site address starts with https. For all HTTPS sites a web browser shows a lock icon in an address bar. For enabling HTTPS for a website's domain we need a private key and it's TSL certificate that was signed by a Certificate Authority (CA).

The OpenWrt admin site LICI by default supports the HTTPS so you can open it with httpS://192.168.1.1/. But it's certificate is self signed and not verified by a CA so your browser will show a warning.

You can buy a TLS cert but nowadays the Let's Encrypt CA allows to sign and verify certificates for free with a certbot program that uses ACME protocol. The only problem is that the certificate will have a short period of validity and you have to configure certificate renewal.

There is few ACME clients that automates the cert issuing:

  • certbot is an official ACME client that is feature rich but is too heavy for small OpenWrt routers.
  • acme.sh is small ACME client that uses shell script and has a LUCI app to configure. This is a recommended for OpenWrt.
  • uacme lightweight ACME client written in plain C with minimal dependencies: libcurl and one of MbedTLS, OpenSSL or GnuTLS.

If you have already taken care of certificate automation see also Installing a publicly trusted certificate.

See acme.sh

You can use CloudFlare.com as a proxy that will terminate TLS and forward requests to your router with HTTP or HTTPS with a self signed certificate. Some tunnels like PageKite or localhost.run are working through HTTPS.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2023/06/07 05:51
  • by stokito