[Script] Let's encrypt for GL.iNet router HTTPs access

admon · May 7, 2024, 2:54pm

Hi there

Many GL.iNet users have asked how to set up Let's Encrypt so that the router receives a valid SSL certificate and can be accessed via their xxxxxx.glddns.com address without receiving a certificate warning.

I've created a script that automates this entire process - including automatic renewal

Key Features

Automatic SSL/TLS Certificates - Requests and installs Let's Encrypt certificates
Auto-Renewal - Certificates renew automatically via cron job (daily at 00:00)
DDNS Integration - Works seamlessly with GL.iNet DDNS
Nginx Configuration - Automatically configures nginx for HTTPS
Validation Checks - Verifies DDNS and public IP match before proceeding
Persistence - Optional: Make installation persistent across firmware upgrades
Restore Function - Easy restoration to factory default configuration

Permanent Installation

During installation, you'll be asked if you want to make it permanent across firmware updates. If you choose "yes", the certificate files and nginx configuration will be preserved during firmware upgrades by adding them to /etc/sysupgrade.conf.

Prerequisites

To execute the script, the following requirements must be met:

A GL.iNet router with the latest GL firmware version
A working internet connection
DDNS must be enabled and configured!
DDNS IP must be the same as the router's public IP (will be checked by the script)
Using a router behind CGNAT is not supported

Important: The script will request a certificate for the router's public IP. VPN IP is not supported.

Quick-Start

You can run it directly on your router via SSH with this single command:

wget https://get.admon.me/acme-update -O enable-acme.sh && sh enable-acme.sh

Follow the on-screen instructions to complete the ACME setup.

Download & Documentation

Advanced Usage

Running without confirmation

Use the --force flag to run the script without any confirmation prompts for fully unattended installations.

sh enable-acme.sh --force

Manual Certificate Renewal

While certificates renew automatically, you can manually trigger renewal:

sh enable-acme.sh --renew

Or if you installed the script to /usr/bin:

/usr/bin/enable-acme --renew

Logging options

Enable timestamps for debugging:

sh enable-acme.sh --log

Use ASCII characters instead of emojis for older terminals:

sh enable-acme.sh --ascii

Usage

./enable-acme.sh [--renew] [--restore] [--force] [--log] [--ascii] [--help]

Argument	Description
`--renew`	Manually renew the ACME certificate
`--restore`	Restore nginx to factory default configuration
`--force`	Skip all confirmation prompts (for unattended installation)
`--log`	Show timestamps in log messages
`--ascii`	Use ASCII characters instead of emojis for compatibility
`--help`	Display help message with all available arguments

Automatic Renewal

The certificate will be renewed automatically by a cronjob installed by the script. The cronjob checks for renewal every day at 00:00.

No manual intervention is required – just let it run!

Result

Disclaimer

This script is provided as-is without any warranty. Use it at your own risk.

It may potentially:

Break your router, computer, or network
Cause unexpected system behavior
Even burn down your house (okay, probably not, but you get the idea)

You have been warned!

Restoring

Simply run the script with the --restore argument:

sh enable-acme.sh --restore

This will restore HTTP access on port 80, revert to self-signed certificates, remove ACME configuration and restart nginx.

Manual Restoration:

You can also manually revert the changes with these commands:

sed -i 's/#listen 80;/listen 80;/g' /etc/nginx/conf.d/gl.conf
sed -i 's/#listen \[::\]:80;/listen \[::\]:80;/g' /etc/nginx/conf.d/gl.conf
sed -i 's|ssl_certificate .*;|ssl_certificate /etc/nginx/nginx.cer;|g' /etc/nginx/conf.d/gl.conf
sed -i 's|ssl_certificate_key .*;|ssl_certificate_key /etc/nginx/nginx.key;|g' /etc/nginx/conf.d/gl.conf
/etc/init.d/nginx restart

Made with by @Admon

If you find this helpful, consider supporting the project via GitHub

japa182 · May 7, 2024, 3:29pm

certificate generated by https port 443 correct? Not being possible to generate via DNS?

packetmonkey · May 7, 2024, 3:30pm

It is not with this script (yet), so no wildcard certs to the best of my knowledge. But this is great work @admon! Thanks for providing it for us.

admon · May 7, 2024, 3:41pm

Only by HTTP because DNS isn’t integrated in GLDDNS yet.

japa182 · May 7, 2024, 4:18pm

I really wanted to use this script, it’s a shame that my operator has port 80 blocked and there is no way to change the port to generate a certificate

Salokyn · May 7, 2024, 4:39pm

Hi @japa182

You can do DNS validation with acme.sh from luci with acme-acmesh-dnsapi and luci-app-acme packages.

Certs are created in /etc/acme and renewed automatically.

admon · May 7, 2024, 5:02pm

Yep, this works - but not for the GLDDNS Domain.
So if you want to use your own domain luci is the way to go indeed.

SpitzAX3000 · May 8, 2024, 8:52am

Maybe you should add that a vpn should be turned off before enabling the ddns service and using the script to avoid errors.

Just wondering how you tested it while your xe300 is behind CGNAT?

admon · May 8, 2024, 9:07am

No need for disabling VPN because the script will simply avoid the VPN - it will use the normal interface.

CGNAT is not supported because that’s how it works. I don’t have to test it to know about this.
or did I get your question wrong?

SpitzAX3000 · May 8, 2024, 9:28am

I meant how did you test your custom script on xe300 which uses CGNAT by default . In your ssl report screenshot, I can see that your glddns device was accessible without CGNAT.

admon · May 8, 2024, 9:34am

I have multiple GL.iNet devices, some with CGNAT, some without

SpitzAX3000 · May 8, 2024, 9:43am

Now makes sense! I was wondering how can I test your script on my spitz since it has cgnat? Do you think there is any workaround?

admon · May 8, 2024, 9:46am

I highly doubt it. Port 80 needs to be open for ACME with GLDDNS (due to lack of DNS-01 supporting here)

SpitzAX3000 · May 8, 2024, 9:49am

What do you mean by port 80 ? I think your script for generating ssl cert ?

For my question, regardless if the port, is there anyway to make my device accessible from the internet?

admon · May 8, 2024, 9:57am

Since this is the thread about this script, yeah, I am talking about the script
It will not generate the certificate, it will call the Let’s encrypt service to do so. And they need port 80.

Go ZeroTier, works fine.

SpitzAX3000 · May 8, 2024, 10:01am

I used to pay extra money for my ISP to reserve a public IP for me. But honestly it is not worth it.

SpitzAX3000 · May 8, 2024, 10:02am

Got it! I have never used such service that’s why I was asking.

admon · May 8, 2024, 10:03am

Yup, it’s not if you don’t need public services like hosting a website.
For all other things, ZeroTier works totally fine. I use it for streaming movies from my NAS while I am abroad.

Qaron · May 22, 2024, 10:25pm

thanks for that .sh, I'm still a newbie and it was working, then I tested some stuff with luci ddns. I went back to the 'default' DDNS management in the web interface but my SSL report is T, I tried to run the script again but now it's failing: ''DDNS IP address not found. Please enable DDNS first.'' But from the web interface the test DDNS works well and show the same IP. What can I do? Thanks

admon · May 23, 2024, 5:47am

Since I don't know what you did (and broke, I guess) it's hard to help.

You need to revert to GLDDNS. Maybe by disabling and enabling it again. No other DDNS service is supported by the script.