[Script] Let's encrypt for GL.iNet router HTTPs access

Hi there :wave:

some forum members have asked how to set up Let’s Encrypt so that the router receives a valid SSL certificate and can then be accessed via the xxxxxx.glddns.com address, for example, without receiving a certificate warning.

I have therefore written a small script that implements exactly this functionality. Even with auto-renewal :partying_face:

Prerequisites

To execute the script, the following prerequisites must be met:

  • A GL.iNet router with the latest firmware version.
  • A working internet connection.
  • DDNS must be enabled and configured!
  • DDNS IP must be the same as the router’s public IP. Will be checked by the script.
  • The script will request a certificate for the router’s public IP. VPN IP is not supported.
  • Using a router behind CGNAT is not supported

Download

You can find it in my repo located on GitHub:

Quick run without downloading

You can run it without cloning the repository by using the following command:

wget -O enable-acme.sh https://raw.githubusercontent.com/Admonstrator/glinet-enable-acme/main/enable-acme.sh && sh enable-acme.sh

Manually run

The following steps are required to enable ACME using the script:

  1. Download the script onto the router.
  2. Open an SSH connection to the router.
  3. Navigate to the directory where the script is located.
  4. Enter the command sh enable-acme.sh and press Enter.
  5. Follow the on-screen instructions to complete the ACME process.

Renewal

The certificate will be renewed automatically by a cronjob. The cronjob is installed by the script. It will check for a renewal every day at 00:00

You can manually renew the certificate by executing the following command:

/usr/bin/enable-acme --renew

Result

Reverting

To revert the changes to nginx, execute the following commands:

sed -i '/listen \[::\]:80;/c\listen \[::\]:80;' /etc/nginx/conf.d/gl.conf 
sed -i '/listen \[::\]:80;/c\listen \[::\]:80;' /etc/nginx/conf.d/gl.conf 
sed -i 's|ssl_certificate .*;|ssl_certificate /etc/nginx/nginx.cer;|g' /etc/nginx/conf.d/gl.conf
sed -i 's|ssl_certificate_key .*;|ssl_certificate_key /etc/nginx/nginx.key;|g' /etc/nginx/conf.d/gl.conf 
/etc/init.d/nginx restart

Disclaimer

This script is provided as is and without any warranty. Use it at your own risk.

It may break your router, your computer, your network or anything else. It may even burn down your house.

You have been warned!

Cheers,
@admon :seal:

6 Likes

certificate generated by https port 443 correct? Not being possible to generate via DNS?

It is not with this script (yet), so no wildcard certs to the best of my knowledge. But this is great work @admon! Thanks for providing it for us.

1 Like

Only by HTTP because DNS isn’t integrated in GLDDNS yet.

I really wanted to use this script, it’s a shame that my operator has port 80 blocked and there is no way to change the port to generate a certificate

Hi @japa182

You can do DNS validation with acme.sh from luci with acme-acmesh-dnsapi and luci-app-acme packages.

Certs are created in /etc/acme and renewed automatically.

1 Like

Yep, this works - but not for the GLDDNS Domain.
So if you want to use your own domain luci is the way to go indeed.

Maybe you should add that a vpn should be turned off before enabling the ddns service and using the script to avoid errors.

Just wondering how you tested it while your xe300 is behind CGNAT?

No need for disabling VPN because the script will simply avoid the VPN - it will use the normal interface.

CGNAT is not supported because that’s how it works. I don’t have to test it to know about this. :sweat_smile:
or did I get your question wrong?

I meant how did you test your custom script on xe300 which uses CGNAT by default . In your ssl report screenshot, I can see that your glddns device was accessible without CGNAT.

I have multiple GL.iNet devices, some with CGNAT, some without :wink:

Now makes sense! I was wondering how can I test your script on my spitz since it has cgnat? Do you think there is any workaround?

I highly doubt it. Port 80 needs to be open for ACME with GLDDNS (due to lack of DNS-01 supporting here)

What do you mean by port 80 ? I think your script for generating ssl cert ?

For my question, regardless if the port, is there anyway to make my device accessible from the internet?

Since this is the thread about this script, yeah, I am talking about the script :laughing:
It will not generate the certificate, it will call the Let’s encrypt service to do so. And they need port 80.

Go ZeroTier, works fine.

1 Like

I used to pay extra money for my ISP to reserve a public IP for me. But honestly it is not worth it.

Got it! I have never used such service that’s why I was asking.

Yup, it’s not if you don’t need public services like hosting a website.
For all other things, ZeroTier works totally fine. I use it for streaming movies from my NAS while I am abroad.

thanks for that .sh, I'm still a newbie and it was working, then I tested some stuff with luci ddns. I went back to the 'default' DDNS management in the web interface but my SSL report is T, I tried to run the script again but now it's failing: ''DDNS IP address not found. Please enable DDNS first.'' But from the web interface the test DDNS works well and show the same IP. What can I do? Thanks

Since I don't know what you did (and broke, I guess) it's hard to help.

You need to revert to GLDDNS. Maybe by disabling and enabling it again. No other DDNS service is supported by the script.