Any way to get a proper certificate instead of a self-signed one on GL-AX1800 (Flint)?

SpearmanKinship · July 31, 2023, 3:55pm

I just got this router and I was quite surprised and disappointed to find a self-signed certificate in this router. Is there any way to get a proper certificate instead of a self-signed one on the GL-AX1800 (Flint) running the 4.2.0 firmware?

bring.fringe18 · July 31, 2023, 7:07pm

First, f/w 4.2.3-release5 is the latest for the Flint. Consider upgrading (GL GUI → System → Upgrade). More to the point, technically, yes noting:

Certificates expire usually just at the 1 year mark for a commercially sourced one.
LetsEncrypt is free.
You’ll need a domain name to assign to your Flint as a host.
- There’s many free dynamic DNS providers (DynDNS/DDNS) available.

I haven’t set this up yet myself but you’ll need deSEC DDNS, LuCI, SSH access to install python3 to configure this particular solution:

SpearmanKinship · July 31, 2023, 7:56pm

First, f/w 4.2.3-release5 is the latest for the Flint. Consider upgrading (GL GUI → System → Upgrade).

Does that update add a proper certificate to the Flint? I haven’t updated because I like to see how devices perform with the stock firmware before updating. I know of let’s encrypt but this post was meant for a proper certificate from glinet itself, is there a way to get one? Why doesn’t this router come with a valid proper, non self-signed certificate?

bring.fringe18 · July 31, 2023, 8:13pm

… & said domain names for assigning certs are tied to host’s IP.

4.2.3-release5 is the new stock/stable build. You can always downgrade if something breaks (GL GUI → System → Upgrade → Local Upgrade). Future builds are going to be based on OpenWrt Linux 22.03 v the current builds of 21.02.

It’s your call, of course.

SpearmanKinship · August 1, 2023, 2:34pm

Certificates expire usually just at the 1 year mark for a commercially sourced one.

I never had this issue with any of the router brands I’ve had before this one so not sure how that explains anything. From my standpoint it’s a very big oversight for a network equipment company.

bring.fringe18 · August 2, 2023, 3:39am

Go to any TLS enabled site/service of your choice & lookup the Validity Period.

SpearmanKinship · August 2, 2023, 12:05pm

Don’t be dishonest. Certificates have validity periods and no one is questioning that but I never had an invalid or SELF-SIGNED certificate when I visited the admin page of any other router I’ve owned.

groentjuh · August 2, 2023, 1:32pm

I really wonder what gear you have had, because I see the following:

ISP provided router: NO SSL AT ALL!
HP gear: Self-signed
Zyxel gear: Self-signed

SpearmanKinship · August 2, 2023, 2:49pm

I’m not counting ISP’s routers. Personally linksys (the classic WRT54G on which I even installed openwrt way back in the day), tp-link and medialink. Never had issues with certificates with them.

groentjuh · August 2, 2023, 3:06pm

Very likely those routers did not even have TLS/SSL on their web-interfaces at all. Yeay for sending the credentials to access your router plaintext to it.

OpenWRT recently (since 22.x) does by default do TLS/SSL with self-signed certificates. They rather have TLS/SSL with self-signed certificates protecting them then plaintext communication.