Pre-Requisites
- You own a domain
- You have DDNS enabled for that domain and it's pointed at your network
- You have Linux, Windows Subsystem for Linux, or MacOSX installed on your computer
- You have git installed
- You have telnet installed
Getting The Certificate
I recomend using a CA that has longer lived certs than LetsEncrypt due to the renewal process taking about 30 minutes of your time, each time; LetsEncrypt certs only last three months. By comparison, you can buy a year long cert from NameCheap.com for $9. So, is 2 hours of your time worth $9?From NameCheap
- Buy a cert from namecheap.com, such as the really cheap PositiveSSL cert.
- Generate a CSR and private key by following this guide
- Make sure to specify the specific domain you've assigned to your network, for the "Common Name".
- Submit the CSR to Namecheap to complete your cert purchase
From Let's Encrypt
- Configure router to forward HTTP/S connections to your computer
- Navigate to http://router.asus.com/Advanced_VirtualServer_Content.asp; that's your router btw.
- Login
- Add two entries to the port forward list:
- HTTP,,80,your computer's ip address,80,tcp
- HTTPS,,443,your computer's ip address,443,tcp
- Apply changes
- Configure your computer's firewall to allow inbound connections to the HTTP/S ports
- Windows
- Press the Windows key or click on the icon in the lower left of the screen
- Type: Advanced Security
- Press enter or click on the firewall option in the search results
- Click Inbound Rules on the left
- Click New Rule.. on the right
- Fill in the same info as in step 1.3 above without specifying your computer obviously.
- Install letsencrypt:
- git clone https://github.com/letsencrypt/letsencrypt
- sudo ~/letsencrypt/letsencrypt-auto --test-cert -d your.domain.address
- Fix any errors that come up, like installing apache if you don't have it installed
- Request a real certificate from LetsEncrypt
- sudo ~/letsencrypt/letsencrypt-auto -d your.domain.address
- Enable Telnet while you're in here
- Stop accepting HTTP/S connections to your computer
- Stop forwarding HTTP/S connections to your computer through your router
Installing The Certificate
- Open a terminal, comand prompt, or whatever
- remotely access the router terminal via:
- ssh router.asus.com
- telnet router.asus.com
- enter your usual credentials for accessing the router web interface
- Enable certificate persistance by running this command: nvram set https_crt_save=1
- Copy the certs to your router by using good old fashioned copy/paste
- open your private key locally, it'll be in "/etc/letsencrypt/live/your.domain.address/" if you used Let's Encrypt.
- copy all of the text in the key file
- open your router's private key remotely: vi /etc/key.pem
- use the delete everything command: ":%d"
- enter insert mode using the "i" key
- right-click to paste
- repeat the same steps for cert.pem
- Restart the router's web server: service restart_httpd
Using The Certificate
- Enable HTTPS Local Access Config (aka Web Interface) on your router if you have not already done so.
- Forward HTTPS connections to your router's web interface by adding this entry to your port forward list:
- HTTPS,,443,192.168.1.1,443,tcp.
You should now be able to securely access your router's web interface from anywhere in the world using https://your.domain.address.
This post was inspired by https://www.snbforums.com/threads/howto-use-a-lets-encrypt-ssl-certificate-on-https-web-interface.31322/
No comments:
Post a Comment