Ddns record update and ssl on Flint 2

Hello,
is it possible to change the fw6f449 prefix for glddns.com?
I know I can create a CNAME and point to that record but can be this record changed from the UI or via script?
Also is it possible to use let’s encrypt or something to obtain the right certificate?

Thank you.

No, can’t change since it’s the ID of the device.

Thank you @admon So I suppose it’s not possible to manage the SSL certificate using let’s encrypt as well…

On your own device, you can use methods like certbot or acme.sh - as long as they are supported by OpenWrt.

But then you have to modify the nginx config manually.

I chose to create a CNAME and point to that record just for giving a try.
There is a guide here [OpenWrt Wiki] Get a free HTTPS certificate from LetsEncrypt for OpenWrt with ACME.sh that should help, but unfortunately it still show the cert from GL.iNET

* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=HK; ST=Hong Kong; L=Hong Kong; O=GLiNet; CN=console.gl-inet.com
*  start date: Oct  9 21:45:43 2023 GMT
*  expire date: Oct  8 21:45:43 2025 GMT
*  issuer: C=HK; ST=Hong Kong; L=Hong Kong; O=GLiNet; CN=console.gl-inet.com
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
* using HTTP/1.1
> HEAD / HTTP/1.1
> Host: xxx
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.17.7
Server: nginx/1.17.7
< Date: Tue, 12 Dec 2023 16:39:42 GMT
Date: Tue, 12 Dec 2023 16:39:42 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 746
Content-Length: 746
< Last-Modified: Mon, 09 Oct 2023 21:45:35 GMT
Last-Modified: Mon, 09 Oct 2023 21:45:35 GMT
< Connection: keep-alive
Connection: keep-alive
< ETag: "6524747f-2ea"
ETag: "6524747f-2ea"
< Cache-Control: private, no-store, no-cache, must-revalidate, proxy-revalidate
Cache-Control: private, no-store, no-cache, must-revalidate, proxy-revalidate
< Accept-Ranges: bytes
Accept-Ranges: bytes

Actually the issue seems related to too many tries:

[Tue Dec 12 18:03:46 CET 2023] Create new order error. Le_OrderFinalize not found. {
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/",
  "status": 429
}

Let’s see if tomorrow will work or not.
I also discover this in the Luci menù:

Looks like it’s possible to change the hostname (not yet tried but at least seems there is the chance)

Nah, it’s only for the check after an IP update happen.

As @admon already said, the GL-Inet ddns is fixed to the device. It is the same as Qnap, AVM and others. Nothing special here.

If you want a custom prefix, you already said correct, it needs a CNAME to this DDNS address.

Okay, lets assume you are owner of domain.com. And you have set a CNAME from GLInet.domain.com to [your ID].glddns.com

Fine, this is the first step. But has nothing to do with the SSL certificate.
Behind the CNAME to the DDNS A (or AAAA) record needs to be a listening service. This service will get a SSL certificate. The easiest is a httpd (Webserver), because here the ACME client for LetsEncrypt can generate the String and verify if it is valid…

If you are checking the SSL certificate, and you see a GL-Inet certificate, the router is answering.
As every GL-Inet router is able to provide VPN over different protocols, I hardly recommend not tomake the Admin Panel available via WAN! Even with SSL.

It would make no sense to setup a LetsEncrypt on the router, just to provide the Admin Panel via WAN.
Please overthink your plan or tell us the missing connection.

1 Like

Thanks for your reply @LupusE .
I know the router is answering but not like as expected or better, nginx (or uhttpd) is replying with the self-signed certificate issued by Gl-inet.

Right now I tried with duckdns and I’m able to reach my router.

acme (via luci) should be able to update the certificate by itself: with standalone verification it creates a small web service with everything aboard but for some reason it’s not working.

Hoping now it’s more clear.

Thank you.

Got it working (using “manual” way, with Luci and dns validation is not working)

  1. the documentation on [OpenWrt Wiki] Get a free HTTPS certificate from LetsEncrypt for OpenWrt with ACME.sh it’s not updated (asked to update it). acme-dnsapi does not exist anymore. The right command is opkg install acme-acmesh-dnsapi

  2. create /etc/config/acme

config acme
	option account_email 'aaa@bbb.com'
	option debug '0'

config cert 'your_duckdns_wildcard'
	option enabled '1'
	option validation_method 'dns'
	option dns 'dns_duckdns'
	list credentials 'DuckDNS_Token="xxx-xxx-xxx-xxx-xxx"'
	list domains 'your.duckdns.org'
	option use_staging '0'
	option keylength '2048'
	option update_uhttpd '1'
	option update_nginx '1'
  1. cd /usr/lib/acme/client && ./acme.sh --register-account -m aaa@bbb.com

  2. ./acme.sh --issue --dns dns_duckdns -d your.duckdns.org

  3. all certificates will be stored under /root/.acme.sh/your.duckdns.org

  4. update nginx config (/etc/nginx/conf.d/gl.conf) to reflect the certificate path

  5. when you need to renew the certificate run /usr/lib/acme/client/acme.sh --renew --dns dns_duckdns -d your.duckdns.org

Hope this helps

UPDATE seems also luci is working. You need to delete /etc/config/ddns, everything inside luci web interface, create it again and restart acme. You will see something like

Wed Dec 13 18:56:28 2023 daemon.info acme-acmesh: /usr/lib/acme/client/acme.sh -d your.duckdns.org --keylength 2048 --accountemail aaa@bbb.com --server letsencrypt --dns dns_duckdns --issue --home /etc/acme

Then when you try to restart it:

# /etc/init.d/acme restart
acme-acmesh: Running ACME for your.duckdns.org
acme-acmesh: /usr/lib/acme/client/acme.sh --renew --home /etc/acme -d your.duckdns.org
Renew: 'your.duckdns.org'
Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
Skip, Next renewal time is: 2024-02-10T17:59:39Z
Add '--force' to force to renew.