Member
Posts: 247
Registered: ‎11-16-2013
Kudos: 20
Solutions: 1

Letsencrypt SSL support for Edgerouter

Hi is there an offiial way to support Letsencrypt SSL installation into the Edgerouter console ? The ones I've seen damage the server configuration. There should be an option to setup a seperate server to connect to for authentication ? 

Let me know. 

Member
Posts: 240
Registered: ‎12-22-2015
Kudos: 48
Solutions: 3

Re: Letsencrypt SSL support for Edgerouter

This should theoretically be possible if you have a working domain name pointing at your IP address, but implementation details are implementation details

Established Member
Posts: 1,595
Registered: ‎07-07-2014
Kudos: 374
Solutions: 105

Re: Letsencrypt SSL support for Edgerouter

There is no "official" method, but search around the forum and you'll find it has been discussed a lot.

 

This thread looks promising:

 

https://community.ubnt.com/t5/EdgeMAX/Updating-EdgeMax-Let-s-Encrypt-Script/td-p/1743285

 

Which references this open source project:

 

https://github.com/mgbowen/letsencrypt-edgemax

New Member
Posts: 16
Registered: ‎09-06-2017
Kudos: 4
Solutions: 1

Re: Letsencrypt SSL support for Edgerouter

Hi,

 

I just successfully deployed Let's Encrypt certificate on my ERX with automatically renew, so I decided to share some instructions to follow if you're still looking for it. My version doesn't edit firewall configuration or install any package, but relies on DNS-01 verification method. Which means you need a DNS provider with DNS API support (there are plenties of them anyway).

 

If you can tolerate opened 80/443 for a short period during certificate request, then you can follow the original instruction here as well.

New Member
Posts: 5
Registered: ‎12-02-2017

Re: Letsencrypt SSL support for Edgerouter

Hey ... 

 

I just installed my ERL and am looking to install certificates.

 

your instructions are quite good, but not entirely explicity. 

 

When you say:

 

mkdir -p /config/.acme.sh
curl -o /config/.acme.sh/acme.sh https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
curl -o /config/scripts/renew.acme.sh https://raw.githubusercontent.com/j-c-m/ubnt-letsencrypt/master/scripts/renew.acme.sh
chmod 755 /config/.acme.sh/acme.sh /config/scripts/renew.acme.sh

 

Do you mean that this should be done on the ERL or just a linux host? 

 

given that you're describing setting up tasks to renew the certificate and referencing those files, I'm guessing you intent them to somehow arrive on the ERL.

 

Also, you say:

 

  • Configure DNS record for subdomain.example.com to your public WAN IP.

The WAN IP I get is from Comcast via DHCP and isn't guaranteed to stay the same. Is there any way to generate the certificate using a local LAN IP? 

 

I don't ever intend to configure the ERL from the WAN side - I'm just trying to make Chrome stop complaining when I connect to it from the LAN side...

 

Thanks for any help. 

 

Established Member
Posts: 1,915
Registered: ‎03-02-2016
Kudos: 469
Solutions: 148

Re: Letsencrypt SSL support for Edgerouter

You should set up a DDNS record for your public IP.

If all you care about it making Chrome not complain, just add the router's self-signed certificate to your trusted certificates in your system. In Windows, this is in the Internet Options control panel.
New Member
Posts: 16
Registered: ‎09-06-2017
Kudos: 4
Solutions: 1

Re: Letsencrypt SSL support for Edgerouter

Hi @rbphilip

 

Thank you for the feedback, but I think you're referring to a different guide that I based on (which is the second href in my post).

 

In any case, those commands should be executed on the router. I personally don't want to expose my router management port to the outside world. So in my guide, I create a static map of the subdomain to an internal IP address (e.g., 192.168.1.1), and it's only accessible from the outside through a VPN tunnel.

New Member
Posts: 5
Registered: ‎12-02-2017

Re: Letsencrypt SSL support for Edgerouter

 


@hungnguyenm wrote:

Hi @rbphilip

 

Thank you for the feedback, but I think you're referring to a different guide that I based on (which is the second href in my post).

 

In any case, those commands should be executed on the router. I personally don't want to expose my router management port to the outside world. So in my guide, I create a static map of the subdomain to an internal IP address (e.g., 192.168.1.1), and it's only accessible from the outside through a VPN tunnel.


 

Thanks. 

 

I'll go back and look at your guide using the model of statically mapping the subdomain to a LAN address. Sounds like that's what I want to do. 

 

I'm new to the ERL and just beginning to be familiar. 

 

As much as the PFSense and OPNSense slam the ERL software, it mostly seems fine to me. Just a little short on good how-to documentation. 

New Member
Posts: 5
Registered: ‎12-02-2017

Re: Letsencrypt SSL support for Edgerouter


@gfunkdave wrote:
You should set up a DDNS record for your public IP.

If all you care about it making Chrome not complain, just add the router's self-signed certificate to your trusted certificates in your system. In Windows, this is in the Internet Options control panel.

Yeah - the public DDNS thing should be easy enough. I used to do this. 

 

Mostly I care about the complaints from web browsers - I can tell Firefox to remember that I made an exception for the edgerouter, but as a geek I'd like to do it "correctly" and actually build  and maintain SSL certificates for that day when I need them. Man Happy 

Member
Posts: 247
Registered: ‎11-16-2013
Kudos: 20
Solutions: 1

Re: Letsencrypt SSL support for Edgerouter

This looks promising

https://github.com/hungnguyenm/edgemax-acme

there was another github project. but on attempt to request a cert it was failing. And because I was unable to provide a log with private detail information. The arrogant guy closed the ticket. 

I have my own domain  and use route43 for dns it makes it a little easy. 

New Member
Posts: 16
Registered: ‎09-06-2017
Kudos: 4
Solutions: 1

Re: Letsencrypt SSL support for Edgerouter

[ Edited ]

Thank you for mentioning. I just had a quick fix to remove the " in the arguments (it makes cron unable to execute the command). Just verified cron working and renewing my router certificate.

 

If you followed the previous commit instruction, please remove the " in the argument.

Member
Posts: 247
Registered: ‎11-16-2013
Kudos: 20
Solutions: 1

Re: Letsencrypt SSL support for Edgerouter

I believe it's adding a txt record with the script to your A record sub domain. So I guess I create the A record or maybe CNAME pointing to my current ip. Then run the validation. Then update my dns on my router to map that sub domain to its own private ip address. 

Member
Posts: 247
Registered: ‎11-16-2013
Kudos: 20
Solutions: 1

Re: Letsencrypt SSL support for Edgerouter

Following those steps actually finally worked. So DNS verification is the better way to go. Follow the instal script documentation exactly. I tried to install acme directly first. 


Member
Posts: 247
Registered: ‎11-16-2013
Kudos: 20
Solutions: 1

Re: Letsencrypt SSL support for Edgerouter

I'll figure out a better schedule you only have to renew after 3 months. So a 30day schedule is better

set system task-scheduler task renew.acme interval 30d

Member
Posts: 247
Registered: ‎11-16-2013
Kudos: 20
Solutions: 1

Re: Letsencrypt SSL support for Edgerouter

Scrap all other letsencrypt projects for edgerouter they are all duds and broken.  and go with this

 

https://github.com/hungnguyenm/edgemax-acme

New Member
Posts: 16
Registered: ‎09-06-2017
Kudos: 4
Solutions: 1

Re: Letsencrypt SSL support for Edgerouter


@electroteque wrote:

Scrap all other letsencrypt projects for edgerouter they are all duds and broken.  and go with this

 

https://github.com/hungnguyenm/edgemax-acme


Thanks for trying!

 


@electroteque wrote:

I'll figure out a better schedule you only have to renew after 3 months. So a 30day schedule is better

set system task-scheduler task renew.acme interval 30d


That would work too. The reason I put 1 day is that the script will quit anyway if the cert is still valid for > 30 days. Sometimes due too network or various issues, the script might fail so the lower interval gives it a couple more retries just in case. I personally use 15d.

New Member
Posts: 5
Registered: ‎12-02-2017

Re: Letsencrypt SSL support for Edgerouter

I have to agree - the process here (https://github.com/hungnguyenm/edgemax-acme) works really well. 

It's a little trickier if you want free DNS services. freedns.afraid.org for example won't work for you unless you control the entire domain. 

But I ultimately created subdomains with duckdns.org for the internal (172.xx.yy.zz) and external (as provided by Comcast) IP addresses, and told the script to use both domains. It gave me a single key file with information for both domains. 

I can now configure my ERL from inside or outside my network by name, without the browser complaining about the certificates. Lovely. 

Thanks to hungnguyenm for putting this together. 




@hungnguyenm wrote:

@electroteque wrote:

Scrap all other letsencrypt projects for edgerouter they are all duds and broken.  and go with this

 

https://github.com/hungnguyenm/edgemax-acme


Thanks for trying!

 

 

Member
Posts: 247
Registered: ‎11-16-2013
Kudos: 20
Solutions: 1

Re: Letsencrypt SSL support for Edgerouter

Yeah unfortunately you do need a domain first or just a way to control DNS with the api. It is certainly much less hassle than port forwarding, opening ports and http vertification. That worked on the synology but a few processes failed on the EdgeRouter. 

If you need a free DNS signed up for AWS and you have a year free tier, setup Route53 then you can disable it after verification. 

New Member
Posts: 16
Registered: ‎09-06-2017
Kudos: 4
Solutions: 1

Re: Letsencrypt SSL support for Edgerouter


@electroteque wrote:

Yeah unfortunately you do need a domain first or just a way to control DNS with the api. It is certainly much less hassle than port forwarding, opening ports and http vertification. That worked on the synology but a few processes failed on the EdgeRouter. 

If you need a free DNS signed up for AWS and you have a year free tier, setup Route53 then you can disable it after verification. 


That's good to know too. I use Google Domain for all my domains, which is not a supported DNS provider. So currently, I have to buy the cheapest domain ($1/year) on GoDaddy for this purpose (and disable auto-renew). At least I don't have to worry about certificate renew for a year and each of my routers can have a subdomain for it Man Happy.

New Member
Posts: 5
Registered: ‎12-02-2017

Re: Letsencrypt SSL support for Edgerouter

I have all my domains with a non-supported ISP. But Hurricane Electric will let you delegate to them, and it's easy to create subdomains, DDNS, etc. And they appear to be supported by the shell scripts. I'll know tomorrow, as I switched one of my domains to their nameservers. 

 

Never any lack of fun when it comes to computers!