Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cannot import my own ssl certificate #541

Open
mmurza opened this issue Feb 19, 2024 · 4 comments
Open

cannot import my own ssl certificate #541

mmurza opened this issue Feb 19, 2024 · 4 comments
Labels
suppport This most probably not a bug, but rather a support request. This can become a bug eventualluy.

Comments

@mmurza
Copy link

mmurza commented Feb 19, 2024

Router Model Affected
Models: RT-AX92U

Firmware Version Affected

  • 3004.388.6_0-gnuton0_beta2
  • Unstable: 3004.388.6_0-gnuton0_beta1

Is this bug present in upstream Merlin releases too?
I don't know.
But issue NOT present on:

  • Stable: 3004.388.5_0-gnuton1

Describe the bug
Cannot import my own SSL certificate for https interface (via "Webui SSL Certificate" section on WAN \ DDNS).
Upload web interface opens, all seems to be OK - I can upload certificate and key files. But this makes no effect - changes are reverted back to auto (localy generated ssl certificate).
Even if there were working custom certificate on previous firmware version (e.g. 388.5 stable), after upgrade to 388.6 beta, web interface reverts to locally generated ssl certificate.

To Reproduce
Steps to reproduce the behavior:

  1. Go to WAN \ DDNS in web interface
  2. Under the section "Webui SSL Certificate", select "Import Your Own Certificate", click upload
  3. Using upload web interface, select certificate and key files from your PC. Upload, Apply
  4. See https interface - it reverts back to auto (locally generated certificate). Same could be seen on the browser interface (warning for https with untrusted ssl certificate)

Tried renaming certificate and key file names before upload (some forums sugested exact names required: cert.pem and key.pem respectively)
Tried also to make changes via ssh (works on 388.5 stable release for RT-AX92U in mesh configuration, where web interface not available), this doesn't work on this 388.6 beta anymore as well:

create or upload certificate and key files under /tmp/etc
/tmp/etc/cert.pem
/tmp/etc/key.pem

then:
cd /tmp
tar zcvf cert.tgz etc/cert.pem etc/key.pem
mv /jffs/cert.tgz /jffs/cert.tgz.bak
mv cert.tgz /jffs/
service restart_httpd

Expected behavior
Selection stays on "Import Your Own Certificate" on web interface under WAN \ DDNS (Webui SSL Certificate), details of imported certificate shown below.

Screenshots
image
@mmurza mmurza added the bug Something isn't working label Feb 19, 2024
@mmurza
Copy link
Author

mmurza commented Feb 19, 2024
edited

My certificate issued by local CA
CN = router.asus.com

Subject alternative names:
DNS Name=router.asus.com
DNS Name=asusrouter.com
DNS Name=router.local
DNS Name=repeater.local
DNS Name=ownDistinctName.asuscomm.com
DNS Name=mesh1.local
DNS Name=mesh2.local
DNS Name=mesh3.local
IP Address=192.168.localIP1
IP Address=192.168.localIP2
IP Address=192.168.localIP3
IP Address=192.168.localIP4
IP Address=192.168.localIP5

Log entries with word cert, while trying to upload custom certificate:

Line 35: Feb 19 10:44:18 httpd: Delete uploaded certificate
Line 52: Feb 19 10:44:20 rc_service: httpds 13801:notify_rc restart_ddns;prepare_cert;restart_webdav
Line 57: Feb 19 10:44:20 custom_script: Running /jffs/scripts/service-event (args:  prepare_cert)
Line 62: Feb 19 10:44:21 inadyn[21672]: Certificate verification error:num=20:unable to get local issuer certificate:depth=0:/C=TW/ST=Taipei/O=ASUSTeK COMPUTER INC./CN=ns1.asuscomm.com
Line 63: Feb 19 10:44:21 inadyn[21672]: Certificate verification error:num=21:unable to verify the first certificate:depth=0:/C=TW/ST=Taipei/O=ASUSTeK COMPUTER INC./CN=ns1.asuscomm.com

@gnuton
Copy link
Owner

gnuton commented Feb 23, 2024
edited

the problem is in the certificate chain verification.

openssl s_client -connect ns1.asuscomm.com:443

should fail. I tested it on beta2 but it works for me. ATM I cannot reproduce it.

@gnuton gnuton added suppport This most probably not a bug, but rather a support request. This can become a bug eventualluy. and removed bug Something isn't working labels Feb 25, 2024
@mmurza
Copy link
Author

mmurza commented Mar 4, 2024
edited

I guess, then there's something wrong with my generated certifficate :/
Tried to upload my CA certificate and CA Key - all works well: pair is accepted as CA, and router generates new end-entity certificate using those.
But I'm loosing my faith to understand what's wrong with my externaly generated end-entity cert...
(there's no relevant log entries, only 'httpd: Delete uploaded certificate')

@mmurza
Copy link
Author

mmurza commented Mar 4, 2024

And fun fact - below described method to specify custom certificate on mesh router works.
But not on the main router: after httpd restart, certificate is reverted back to locally speciffied

cd /tmp
mkdir etc
cat << EOF > etc/cert.pem
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
EOF

cat << EOF > etc/key.pem
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
EOF

tar zcvf cert.tgz etc/cert.pem etc/key.pem
mv /jffs/cert.tgz /jffs/cert.tgz.bak
mv cert.tgz /jffs/
service restart_httpd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
suppport This most probably not a bug, but rather a support request. This can become a bug eventualluy.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gnuton @mmurza