diff --git a/How-to-run-on-OpenWRT.md b/How-to-run-on-OpenWRT.md index 539206b..1eef694 100644 --- a/How-to-run-on-OpenWRT.md +++ b/How-to-run-on-OpenWRT.md @@ -1,39 +1,17 @@ Setup and run acme.sh on your OpenWRT router and have https secured management. -*Also see [Step 5](https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-OpenWRT#meta-step-5-use-a-fancy-setup-script-instead) for a handy setup script instead* - ### Step 1: Install packages -`opkg install curl ca-certificates uhttpd-mod-tls openssl-util` - -On LEDE 17.01.2 you will need - -`opkg install curl ca-certificates ca-bundle luci-ssl` +`opkg install curl ca-bundle luci-ssl-openssl` ### Step 2: Configure Web Server -Here we'll tell uhttpd to listen for https traffic and add two firewall rules to let that traffic through. +Here we'll tell uhttpd not redirect to https These commands use the OpenWRT [`uci` command](https://wiki.openwrt.org/doc/uci), a brilliant way to parse, get, set, and edit values and sections from config files. It makes scripting OpenWRT a breeze. ``` -uci set uhttpd.main.redirect_https=1 -uci set uhttpd.main.listen_https='[::]:443' -##add https firewall rule -uci set firewall.https=rule -uci set firewall.https.target=ACCEPT -uci set firewall.https.src=wan -uci set firewall.https.proto=tcp -uci set firewall.https.dest_port=443 -uci set firewall.https.name='web configuration' -##add http firewall rule -uci set firewall.http=rule -uci set firewall.http.target=ACCEPT -uci set firewall.http.src=wan -uci set firewall.http.proto=tcp -uci set firewall.http.dest_port=80 -uci set firewall.http.name='http web configuration' +uci set uhttpd.main.redirect_https=0 uci commit -/etc/init.d/firewall restart /etc/init.d/uhttpd restart ``` @@ -41,13 +19,14 @@ uci commit On your router: ``` -mkdir ~/.https curl https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh > acme.sh chmod a+x "acme.sh" ./acme.sh --install cd /root/.acme.sh DOMAIN=my.router.net ## this domain must actually point to your router +iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment ACME ./acme.sh --issue -d $DOMAIN -w /www +iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment ACME ``` Now if the certificate issue was successful we'll tell the web server to use our new certificate: @@ -59,19 +38,20 @@ uci commit uhttpd /etc/init.d/uhttpd restart ``` -### Step 4: Run acme.sh automatically every day +### Step 4: Modify crontab (automatic renew) -Run `crontab -e` to edit your crontab (use something like `export EDITOR="/usr/bin/nano"` if vim isn't your style). Add: +Run `crontab -e` to edit your crontab (use something like `export EDITOR="/usr/bin/nano"` if vim isn't your style). Edit to: -`0 0 * * * /root/.https/acme.sh --cron --home /root/.https >>/root/.https/log.txt 2>&1` +`0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --pre-hook "iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment ACME" --post-hook "iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment ACME" --reloadcmd "/etc/init.d/uhttpd restart" >> /root/.acme.sh/log.txt 2>&1` -### Meta-Step 5: Use a fancy setup script instead -See [this gist](https://gist.github.com/t413/3e616611299b22b17b08baa517d2d02c) for my `update.sh` that handles each step of this howto for you and also runs the cron update.. with style. (It automates opening port-80 traffic for verification then closes it again so http isn't even an option) +### Step 5: Configure Firewall +Open or Forward LUCI Port for external access. (use Webinterface) -## Here is another guide which may help you: +## Other stuff which may help you: https://forum.openwrt.org/viewtopic.php?id=65090 +https://gist.github.com/t413/3e616611299b22b17b08baa517d2d02c