I have an ASUS RT-AC68U router with stock firmware and ever since I changed authentication method to HTTPS, I have been getting the following certificate errors whenever accessing the router through DDNS URL or 192.168.x.x.

I have tried various tutorials to install SSL certificate but most of them either do not work the way I want or do not work at all. I was finally successful at generating an SSL certificate to be installed on my router with SSH.

Few things to keep in mind before proceeding.

  1. Only https://name.asuscomm.com:8443 work, https://192.168.x.x:8443 will not work.
  2. I will be using SSL For Free CA and will be issued by Let’s Encrypt.
  3. You will need to perform these steps every 90 days.
  4. I will be using IIS (Internet Information Services) on Windows 10 to make this work. You can also use Apache or any other HTTP servers.
  5. You will need to do some port forwarding in order for the CA to access the HTTP server and I’ll instruct you on how to do that.
  6. You will need to allow your computer’s firewall access to port 80 or whatever port your HTTP server is listening to.

OK. Let’s start!

  1. Install IIS Windows features located under Programs and Features as shown below
  2. Now we need to forward ports to the computer where your HTTP server is running on.
    1. Login to your router then click on WAN from left menu then click on Virtual Server / Port Forwarding tab.
    2. Beside Enable Port Forwarding click on Yes then click on Apply.  By default HTTP servers runs on TCP port 80 but most residential ISPs have port 80 disabled so you have to use a different port such as 81.
    3. Since we are not sure if the ISP is blocking port 80, we will be using port 81 instead. Enter the information in Port Forwarding List as shown below.
      Service name: you can put anything such as Web Port Range: 81 Local IP: Either select the hostname or type in the IP address of the computer where the HTTP server is installed.
      Local Port80 Protocol: TCP
    4. Click on Apply
  3. Next you will need to allow traffic to tcp port 81 through your computer firewall. Most antivirus software will use their own firewall and disable the windows firewall. Do a Google search to find out how you to allow traffic to port 81. https://portchecker.co is an excellent web site that will tell you whenever your site is accessible from outside of your network on port 81.
  4. Once your web server is accessible from outside of your network,
    1. visit https://www.sslforfree.com then enter your DDNS name such as networkname.asuscomm.com:81
    2. click on Create Free SSL Certificate. On the next page click on Manual Verification.
    3. If you have IIS installed, then browse to C:\inetpub\wwwroot on your computer and create two nested folders, as explained in step 2 then download the file from step 1 into acme-challenge folder.
    4. Since IIS restricts viewing of folders that starts with a period, create a file and rename it to web.config then copy/paste the following into the file.
      <?xml version="1.0" encoding="UTF-8"?>
      <configuration>
      <system.webServer>
      <staticContent>
      <mimeMap fileExtension=".*" mimeType="text/xml" />
      </staticContent>
      </system.webServer>
      </configuration>
      The config file will remove such restriction only for the folder where the config file is located.
    5. Click on Retry Manual Verification then you will see Download SSL Certificates. Either copy/paste both codes or Download them.
  5. We are now ready to install the certificate on the router through SSH such as Putty then execute these commands as shown on this site in step 6
    1. Cleanup of existing pem filescd /etc
      rm *.pem
    2. cleanup of existing certificate (twice) nvram set https_crt_save=0
      nvram unset https_crt_file
      service restart_httpd
      nvram unset https_crt_file
      service restart_httpd
      nvram get https_crt_file (this should show nothing)
      rm *.pem
    3. Install new certificate nvram set https_crt_save=1
      Copy certificate.crt content then cat > cert.pem and paste.
      press CTRL + D to end editing
      Copy private.key content then cat > key.pem and paste.
      press CTRL + D to end editing
    4. Restart and generate cert file
      service restart_httpd
      nvram get https_crt_file
      (this should show your cert file)
    5. Now reboot the router by typing reboot into SSH
  6. If you followed step 5 properly and the reboot completed, then now you should see something like this if you are viewing from Google Chrome

 

If there are firmware upgrades, you may have to do step 5 again as it loses the certificate and the non-trusted certificate will come back.

I hope this tutorial helped you get rid of that ugly error message.

Leave a Comment

Your email address will not be published. Required fields are marked *