[Script] Let's encrypt for GL.iNet router HTTPs access

Qaron · May 23, 2024, 6:58am

GLDDNS seems working correctly, because I have uninstalled luci ddns and enabled it from the normal web interface:

admon · May 23, 2024, 7:41am

Please run the script again and send me the output via PM.
Thanks!

Qaron · May 28, 2024, 10:32pm

I sent you the result a few days ago, but now I have resolved it. I made a backup from luci interface, restored the last official firmware, deleted any config files related to ddns from the backup then restored it. I saved my configuration and fixed the ddns issue to use this script

establish530 · October 29, 2024, 4:26pm

establish530

Having issues with the script DDNS enabled

and here is script output--

[2024-10-29 10:26:54] [✓] The script is up to date
┌────────────────────────────────────────────────────────────────────────┐
│ GL.iNet router script by Admon 🦭 for the GL.iNet community            │
| Version: 2024.05.19.01                                                 |
├────────────────────────────────────────────────────────────────────────┤
│ WARNING: THIS SCRIPT MIGHT POTENTIALLY HARM YOUR ROUTER!               │
│ It's only recommended to use this script if you know what you're doing.│
├────────────────────────────────────────────────────────────────────────┤
│ This script will enable ACME support on your router.                   │
│                                                                        │
│ Prerequisites:                                                         │
│ 1. You need to have the GL DDNS service enabled.                       │
│ 2. The router needs to have a public IPv4 address.                     │
└────────────────────────────────────────────────────────────────────────┘
[2024-10-29 10:26:54] [→] Checking if prerequisites are met
[2024-10-29 10:26:54] [✓] Firmware version: 4
[2024-10-29 10:26:54] [✓] Public IP address: xx.xx.xx.xx
uci: Entry not found
BusyBox v1.33.2 (2024-10-17 09:43:37 UTC) multi-call binary.

Usage: nslookup HOST [DNS_SERVER]

Query DNS about HOST
[2024-10-29 10:26:54] [x] DDNS IP address not found. Please enable DDNS first.
[2024-10-29 10:26:54] [x] DDNS domain name not found. Please enable DDNS first.
[2024-10-29 10:26:54] [✓] Prefix of the DDNS domain name: 
[2024-10-29 10:26:54] [x] Public IP does not match DDNS IP!
[2024-10-29 10:26:54] [x] Prerequisites are not met. Exiting

admon · October 29, 2024, 4:27pm

Which device and firmware?

establish530 · October 29, 2024, 4:30pm

# ubus call system board
{
	"kernel": "5.4.238",
	"hostname": "GL-MT6000",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02-SNAPSHOT"

admon · October 29, 2024, 4:39pm

Unfortunately, the GL DDNS isn't stored via uci anymore - therefore my script can't work.
No ETA for a fix, guess I will just declare it as dead.

establish530 · October 29, 2024, 4:44pm

Are there how-to docs for doing it manually without your script that apply to GL DDNS?

admon · October 29, 2024, 4:44pm

Not really. Right now you could just look through the script and try to do all the steps by yourself.

establish530 · October 29, 2024, 4:45pm

Ok, thanks.

establish530 · October 31, 2024, 4:40pm

I think it just moved. Updating your script to change the uci get/set name from ddsn. to gl_ddns. might do the trick.

# uci get ddns.glddns.domain
uci: Entry not found

# uci get gl_ddns.glddns.domain
abc123456.glddns.com

admon · October 31, 2024, 4:42pm

On my 4.7 it isn't there anymore

establish530 · October 31, 2024, 4:44pm

Well shoot. I'm still on 4.6.8. Guess I won't have it soon on the next update.

establish530 · October 31, 2024, 5:48pm

Trying to walk through the script and perform the steps by hand (and using the ACME Luci services GUI) and seems I'm getting stopped here, pointing to the Firewall?? Should listen on port 80 in the nginx/gl.conf file be commented or uncommented?

Thu Oct 31 12:42:28 2024 daemon.err run-acme[7112]: abc123.glddns.com:Verify error:11.22.33.44: Fetching http://abc123.glddns.com/.well-known/acme-challenge/gUq7zvjHar1gTio_9VabcDEF129rseRt: Timeout during connect (likely firewall problem)

admon · October 31, 2024, 6:02pm

To be honest: It does not make sense to manually walk through the script. Let's encrypt must be renewed every ~60 days - so you need to do all steps again.

You first need to enable access on TCP/80 and the firewall, so function config_nginx and open_firewall

establish530 · October 31, 2024, 6:47pm

I'm curious, would your script work on a pure openwrt router? Does it store DDNS in uci?

admon · October 31, 2024, 6:49pm

Currently it won't work.

admon · November 2, 2024, 3:00pm

The script was updated to support newer firmwares.

At least on my 4.7.0 beta6 it does work again, @establish530
Not sure about older ones, but waiting for bug reports.

RainerZ · November 3, 2024, 8:12am

Thanks a lot @admon, great tutorial and exactly what I was looking for. And your cover picture made my day, soooo cute

establish530 · November 4, 2024, 4:43pm

I gave it a spin and got much further this time but erroring on what appears something else listening on port 80?

Possibly this?

# netstat -tunlp | grep :80
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      17516/nginx.conf -g
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      4361/uhttpd
tcp        0      0 :::80                   :::*                    LISTEN      17516/nginx.conf -g

[2024-11-04 10:36:57] [✓] Public IP matches DDNS IP.
[2024-11-04 10:36:57] [✓] Prerequisites are met.
[2024-11-04 10:36:57] [!] Are you sure you want to continue? (y/N)
y
[2024-11-04 10:37:03] [→] Installing luci-app-acme
[2024-11-04 10:37:11] [→] Creating firewall rule to open port 80 on WAN
[2024-11-04 10:37:11] [→] Restarting firewall
[2024-11-04 10:37:11] [→] Deleting old ACME configuration file for ks11f22
uci: Entry not found
[2024-11-04 10:37:11] [→] Creating ACME configuration file
[2024-11-04 10:37:11] [→] Disabling HTTP access to the router
[2024-11-04 10:37:11] [→] Restarting nginx
[2024-11-04 10:37:11] [→] Restarting acme
[2024-11-04 10:37:16] [→] Checking if certificate was issued
[2024-11-04 10:37:26] [x] Certificate was not issued. Please check the log by running logread.
[2024-11-04 10:37:26] [→] Enabling HTTP access to the router
[2024-11-04 10:37:26] [→] Restarting nginx
[2024-11-04 10:37:26] [→] Disabling firewall rule to open port 80 on WAN
[2024-11-04 10:37:27] [→] Restarting firewall
[2024-11-04 10:37:27] [→] Modifying /etc/sysupgrade.conf
[2024-11-04 10:37:27] [✓] Configuration added to /etc/sysupgrade.conf.
[2024-11-04 10:37:27] [x] The ACME certificate was not installed successfully.
[2024-11-04 10:37:27] [x] Please report any issues on the GL.iNET forum or inside the scripts repository.
[2024-11-04 10:37:27] [x] You can find the log file by executing logread

Logread

Mon Nov  4 10:37:20 2024 daemon.info run-acme[15624]: Pending, The CA is processing your order, please just wait. (3/30)
Mon Nov  4 10:37:20 2024 daemon.err run-acme[15624]: sleep 2 secs to verify again
Mon Nov  4 10:37:21 2024 daemon.info procd: Instance acme::instance1 pid 15624 not stopped on SIGTERM, sending SIGKILL instead
Mon Nov  4 10:37:21 2024 daemon.info acme: Running pre checks for ks11f22.glddns.com.
Mon Nov  4 10:37:21 2024 daemon.err run-acme[16746]: acme: Running pre checks for ks11f22.glddns.com.
Mon Nov  4 10:37:21 2024 daemon.debug acme: port80 listens: 16392/socat
Mon Nov  4 10:37:21 2024 daemon.err run-acme[16746]: acme: port80 listens: 16392/socat
Mon Nov  4 10:37:21 2024 daemon.err acme: ks11f22.glddns.com: Cannot run in standalone mode; another daemon is listening on port 80.
Mon Nov  4 10:37:21 2024 daemon.err run-acme[16746]: acme: ks11f22.glddns.com: Cannot run in standalone mode; another daemon is listening on port 80.
Mon Nov  4 10:37:21 2024 daemon.err acme: Disable other daemon or set webroot to continue.