[Script] Let's encrypt for GL.iNet router HTTPs access

admon · May 7, 2024, 2:54pm

Hi there

some forum members have asked how to set up Let’s Encrypt so that the router receives a valid SSL certificate and can then be accessed via the xxxxxx.glddns.com address, for example, without receiving a certificate warning.

I have therefore written a small script that implements exactly this functionality. Even with auto-renewal

Prerequisites

To execute the script, the following prerequisites must be met:

A GL.iNet router with the latest firmware version.
A working internet connection.
DDNS must be enabled and configured!
DDNS IP must be the same as the router’s public IP. Will be checked by the script.
The script will request a certificate for the router’s public IP. VPN IP is not supported.
Using a router behind CGNAT is not supported

Download

You can find it in my repo located on GitHub:

Quick run without downloading

You can run it without cloning the repository by using the following command:

wget -O enable-acme.sh https://raw.githubusercontent.com/Admonstrator/glinet-enable-acme/main/enable-acme.sh && sh enable-acme.sh

Manually run

The following steps are required to enable ACME using the script:

Download the script onto the router.
Open an SSH connection to the router.
Navigate to the directory where the script is located.
Enter the command sh enable-acme.sh and press Enter.
Follow the on-screen instructions to complete the ACME process.

Renewal

The certificate will be renewed automatically by a cronjob. The cronjob is installed by the script. It will check for a renewal every day at 00:00

You can manually renew the certificate by executing the following command:

/usr/bin/enable-acme --renew

Result

Reverting

To revert the changes to nginx, execute the following commands:

sed -i '/listen \[::\]:80;/c\listen \[::\]:80;' /etc/nginx/conf.d/gl.conf 
sed -i '/listen \[::\]:80;/c\listen \[::\]:80;' /etc/nginx/conf.d/gl.conf 
sed -i 's|ssl_certificate .*;|ssl_certificate /etc/nginx/nginx.cer;|g' /etc/nginx/conf.d/gl.conf
sed -i 's|ssl_certificate_key .*;|ssl_certificate_key /etc/nginx/nginx.key;|g' /etc/nginx/conf.d/gl.conf 
/etc/init.d/nginx restart

Disclaimer

This script is provided as is and without any warranty. Use it at your own risk.

It may break your router, your computer, your network or anything else. It may even burn down your house.

You have been warned!

Cheers,
@admon

japa182 · May 7, 2024, 3:29pm

certificate generated by https port 443 correct? Not being possible to generate via DNS?

packetmonkey · May 7, 2024, 3:30pm

It is not with this script (yet), so no wildcard certs to the best of my knowledge. But this is great work @admon! Thanks for providing it for us.

admon · May 7, 2024, 3:41pm

Only by HTTP because DNS isn’t integrated in GLDDNS yet.

japa182 · May 7, 2024, 4:18pm

I really wanted to use this script, it’s a shame that my operator has port 80 blocked and there is no way to change the port to generate a certificate

Salokyn · May 7, 2024, 4:39pm

Hi @japa182

You can do DNS validation with acme.sh from luci with acme-acmesh-dnsapi and luci-app-acme packages.

Certs are created in /etc/acme and renewed automatically.

admon · May 7, 2024, 5:02pm

Yep, this works - but not for the GLDDNS Domain.
So if you want to use your own domain luci is the way to go indeed.

SpitzAX3000 · May 8, 2024, 8:52am

Maybe you should add that a vpn should be turned off before enabling the ddns service and using the script to avoid errors.

Just wondering how you tested it while your xe300 is behind CGNAT?

admon · May 8, 2024, 9:07am

No need for disabling VPN because the script will simply avoid the VPN - it will use the normal interface.

CGNAT is not supported because that’s how it works. I don’t have to test it to know about this.
or did I get your question wrong?

SpitzAX3000 · May 8, 2024, 9:28am

I meant how did you test your custom script on xe300 which uses CGNAT by default . In your ssl report screenshot, I can see that your glddns device was accessible without CGNAT.

admon · May 8, 2024, 9:34am

I have multiple GL.iNet devices, some with CGNAT, some without

SpitzAX3000 · May 8, 2024, 9:43am

Now makes sense! I was wondering how can I test your script on my spitz since it has cgnat? Do you think there is any workaround?

admon · May 8, 2024, 9:46am

I highly doubt it. Port 80 needs to be open for ACME with GLDDNS (due to lack of DNS-01 supporting here)

SpitzAX3000 · May 8, 2024, 9:49am

What do you mean by port 80 ? I think your script for generating ssl cert ?

For my question, regardless if the port, is there anyway to make my device accessible from the internet?

admon · May 8, 2024, 9:57am

Since this is the thread about this script, yeah, I am talking about the script
It will not generate the certificate, it will call the Let’s encrypt service to do so. And they need port 80.

Go ZeroTier, works fine.

SpitzAX3000 · May 8, 2024, 10:01am

I used to pay extra money for my ISP to reserve a public IP for me. But honestly it is not worth it.

SpitzAX3000 · May 8, 2024, 10:02am

Got it! I have never used such service that’s why I was asking.

admon · May 8, 2024, 10:03am

Yup, it’s not if you don’t need public services like hosting a website.
For all other things, ZeroTier works totally fine. I use it for streaming movies from my NAS while I am abroad.