github
/
acme.sh
mirror of https://github.com/acmesh-official/acme.sh
1
0
Fork 0
Code Issues Releases Wiki Activity

Updated How to run on OpenWRT (markdown)

master
Tim O'Brien 2016-07-25 11:03:15 -07:00
parent c9bedd1a69
commit 64c9703dbc
1 changed files with 35 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
How-to-run-on-OpenWRT.md

@ -1,12 +1,15 @@
Setup and run acme.sh on your OpenWRT router and have https secured management.
*Also see Step 5 for a handy setup script*
### Step 1: Install packages
`opkg install curl ca-certificates px5g uhttpd-mod-tls`
`opkg install curl ca-certificates uhttpd-mod-tls`
### Step 2: Configure Web Server
Here we'll tell uhttpd to listen for https traffic and add two firewall rules to let that traffic through.
The HTTP port 80 rule will be disabled by default
These commands use the OpenWRT [`uci` command](https://wiki.openwrt.org/doc/uci), a brilliant way to parse, get, set, and edit values and sections from config files. It makes scripting OpenWRT a breeze.
```
uci set uhttpd.main.redirect_https=1
@ -25,8 +28,37 @@ uci set firewall.https.src=wan
uci set firewall.https.proto=tcp
uci set firewall.https.dest_port=80
uci set firewall.https.name='http web configuration'
uci set firewall.http.enabled=0
uci commit
/etc/init.d/firewall restart
/etc/init.d/uhttpd restart
```
### Step 3: Configure acme.sh and get your certificate
On your router:
```
mkdir ~/.https
curl https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh > acme.sh
chmod a+x "acme.sh"
DOMAIN=my.router.net ## this domain must actually point to your router
./acme.sh --issue -d $DOMAIN -w /www
```
Now if the certificate issue was successful we'll tell the web server to use our new certificate:
```
uci set uhttpd.main.key "$(pwd)/$DOMAIN/$DOMAIN.key"
uci set uhttpd.main.cert "$(pwd)/$DOMAIN/$DOMAIN.cert"
uci commit uhttpd
/etc/init.d/uhttpd restart
```
### Step 4: Run acme.sh automatically every day
Run `crontab -e` to edit your crontab (use something like `export EDITOR="/usr/bin/nano"` if vim isn't your style). Add:
`0 0 * * * /root/.https/acme.sh --cron --home /root/.https >>/root/.https/log.txt 2>&1`
### Meta-Step 5: Use a fancy setup script instead
See [this gist](https://gist.github.com/t413/3e616611299b22b17b08baa517d2d02c) for my `update.sh` that handles each step of this howto for you and also runs the cron update.. with style. (It automates opening port-80 traffic for verification then closes it again so http isn't even an option)