It's useless to watch the intranet, but it's not necessarily the case when accessing the internet.
It is not as difficult as imagined to add an SSL certificate to Openwrt. I didn't compile OpenSSL in my firmware, and I don't need it. When testing, I compiled it on the fly with default access via HTTPS. It feels a bit meaningless to enable it in the official version without using the intranet.
To add an SSL certificate to Openwrt, you first need an SSL certificate. Here I use Goose Cloud (which provides free SSL certificates). I applied for an ECC 256 encryption algorithm certificate.
Download; select Nginx as the certificate server type, and only need the key .key
and certificate .crt
files from the compressed package.
Use the built-in system-file management of the firmware to find a place to put it. Here I choose /www
and upload the two files to the selected extraction location.
Use the command to check if the upload is successful cd /www && ls
If the firmware does not have file management, you can use your handy ssh tool to upload it. Here is a demonstration of the command in the Windows terminal scp C:\Users\[user]\Desktop\****.crt [email protected]:/www
for reference only.
Use vim to modify vi /etc/config/uhttpd
config uhttpd 'main'
list listen_http '0.0.0.0:80'
list listen_http '[::]:80'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
option redirect_https '0'
option home '/www'
option rfc1918_filter '1'
option max_connections '100'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
Replace /etc/uhttpd.crt
in option cert '/etc/uhttpd.crt'
with /www/****.crt
Replace /etc/uhttpd.key
in option cert '/etc/uhttpd.key'
with /www/****.key
If you have a public IP, you can check if the ISP has blocked port 443. If so, change 443 to your preferred port and replace '0.0.0.0:443'
in list listen_https '0.0.0.0:443'
with your preferred port.
Save Esc, Shift + ;(:) type wq to exit vim (:wq
)
Then restart uhttpd /etc/init.d/uhttpd restart
Test both the intranet and the internet, and remember to do port mapping and DDNS domain name resolution. Guangyi IPv6 has no restrictions and can be accessed normally on port 443.
That's how you successfully add the certificate.
This article is synchronized and updated to xLog by Mix Space
The original link is https://www.miaoer.xyz/posts/network/openwrt-ssl