Problems with Let's Encrypt setup

Hey Guys!

i wanted to set up the let’s encrypt like in the Documentation described (for connecting to Foris and LuCI via https and later also nextcloud propably), but since i’m complete new in this stuff i maybe did something wrong

so first i use Windows with PuTTY and WinSCP for SSH and File transfer to the Router.

The Problem i have is that i can’t see anyithing in /root with WinSCP and when i try to create the frist File i always get “permission denied”

here is a screenshot from the SSH

Unbenannt685×561 14.8 KB

the only thing i made so far is an OpenVPN server with the OpenVPN plugin everything else is “out of the box”.

So could anyone maybe help me, with what i did wrong?

Third line from bottom:

/root/.acme.sh vi add80.gw

You are trying to execute a directory. That’s why you have the error. Get in and then create the file:

cd /root/.acme.sh
vi add80.gw

Btw. read somethign in advance about the vi editor to not stuck inside.

Thank you! that was it

is there a way to copy the Files from the Documentation to the Router, so i dont have to type everything manualy in (to avoid mistakes). i saw that you can Download the files and was wondering if this is possible to upload them with this command i found

user@localmachine:~$ scp C:\users\user\Desktop\add80.gw root@192.168.1.1:/root/.acme.sh/add80.gw

since i cant the the Files in winscp i cant copy them with the programm

Just copy and paste young padawan

You can copy from the Documentation page directly into vi editor. It is just few pieces of text. Vi is not much user friendly for the first attemtp but give it few mintues with some tutorial and you’re done.

Yeah i just find in an tutorial that i can just make a right click in Putty to copy

damn xD not that hard actually xD

but again thank you! i’m just starting and hope to become better in this soon

So i created now the Two Files and want to start the get_acme.sh an then this comes up
but when i look with vi i find the add.80 and the files has everything in it o.O

root@turris:~# /root/.acme.sh/get_acme.sh
cat: can't open 'add80.gw': No such file or directory
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @zone[2] (newzone) has no device, network, subnet or extra opti       ons
Warning: Section @zone[2] (newzone) has no device, network, subnet or extra opti       ons
 * Clearing IPv4 filter table
 * Clearing IPv4 nat table
 * Clearing IPv4 mangle table
 * Clearing IPv4 raw table
 * Populating IPv4 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'newzone'
   * Zone 'vpn_turris'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule #7
   * Rule #8
   * Rule 'vpn_turris_rule'
   * Forward 'lan' -> 'wan'
   * Forward 'vpn_turris' -> 'lan'
   * Forward 'lan' -> 'vpn_turris'
   * Forward 'vpn_turris' -> 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'newzone'
   * Zone 'vpn_turris'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'newzone'
   * Zone 'vpn_turris'
 * Populating IPv4 raw table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'newzone'
   * Zone 'vpn_turris'
 * Clearing IPv6 filter table
 * Clearing IPv6 mangle table
 * Clearing IPv6 raw table
 * Populating IPv6 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'newzone'
   * Zone 'vpn_turris'
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule #7
   * Rule #8
   * Rule 'vpn_turris_rule'
   * Forward 'lan' -> 'wan'
   * Forward 'vpn_turris' -> 'lan'
   * Forward 'lan' -> 'vpn_turris'
   * Forward 'vpn_turris' -> 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'newzone'
   * Zone 'vpn_turris'
 * Populating IPv6 raw table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'newzone'
   * Zone 'vpn_turris'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/usr/share/firewall/turris'
   ! Skipping due to path error: No such file or directory
 * Running script '/etc/firewall.d/with_reload/firewall.include.sh'
 * Running script '/usr/share/miniupnpd/firewall.include'
/root/.acme.sh/get_acme.sh: line 17: can't open DOMAIN: no such file
/root/.acme.sh/get_acme.sh: line 20: can't open DOMAIN: no such file
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @zone[2] (newzone) has no device, network, subnet or extra opti       ons
Warning: Section @zone[2] (newzone) has no device, network, subnet or extra opti       ons
 * Clearing IPv4 filter table
 * Clearing IPv4 nat table
 * Clearing IPv4 mangle table
 * Clearing IPv4 raw table
 * Populating IPv4 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'newzone'
   * Zone 'vpn_turris'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule #7
   * Rule #8
   * Rule 'vpn_turris_rule'
   * Forward 'lan' -> 'wan'
   * Forward 'vpn_turris' -> 'lan'
   * Forward 'lan' -> 'vpn_turris'
   * Forward 'vpn_turris' -> 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'newzone'
   * Zone 'vpn_turris'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'newzone'
   * Zone 'vpn_turris'
 * Populating IPv4 raw table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'newzone'
   * Zone 'vpn_turris'
 * Clearing IPv6 filter table
 * Clearing IPv6 mangle table
 * Clearing IPv6 raw table
 * Populating IPv6 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'newzone'
   * Zone 'vpn_turris'
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule #7
   * Rule #8
   * Rule 'vpn_turris_rule'
   * Forward 'lan' -> 'wan'
   * Forward 'vpn_turris' -> 'lan'
   * Forward 'lan' -> 'vpn_turris'
   * Forward 'vpn_turris' -> 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'newzone'
   * Zone 'vpn_turris'
 * Populating IPv6 raw table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'newzone'
   * Zone 'vpn_turris'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/usr/share/firewall/turris'
   ! Skipping due to path error: No such file or directory
 * Running script '/etc/firewall.d/with_reload/firewall.include.sh'
 * Running script '/usr/share/miniupnpd/firewall.include'

Two issues there.

First you are no located in correct directory:

All things are going to happen in /root/.acme.sh (default setup)

I modified the guide to contain absolute paths everywhere now to avoid this trouble.

Second. You did not replace the placeholder by your domain ane for which you are trying to get the certificate.

Ahh Thank you!

So if I now copy, there should be no problem with the paths?

And stupid question, but the Domain would be my IP of the router (or later nextcloud), am I right?

So in add80.gw i change the line ‚<TURRIS_IP>‚ To ‚192.168.1.1‘ and in the other File shall I change too into <192.168.1.1>

Well, to be fully honest I suggest you to stop play the Turris command line and study a bit general Linux knowledge. Until you break your unit.
Turris is nice and robust device even for not skilled user but jsut in case you stay in UI. Otherwise the knowledge is needed.

In general you should study at least the basics of linux command line. How it works, what is the logic, basic commands.
Eg. this one looks fine: http://linuxcommand.org/

And for Let’s Encrypt you should understand what and why you want to do. Now you don’t.
Some overview is eg. here: http://www.steves-internet-guide.com/ssl-certificates-explained/

Okay sorry for that

Then is I’ll better do so, thank you for the links I will read through them

I followed the instructions at: Turris Documentation everything seems to be working correctly, until I try to access Foris or Luci, then I just get:

This site can’t be reached
192.168.1.1 refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED

I’m using a ddns service (noip.com).
Just to check, is the following correct?
In add80.gw <TURRIS_IP> is 192.168.1.1
In get_acme.sh and renew_acme.sh is xxx.ddns.net where xxx.ddns.net is my domain?

Below is the ouput if runnung get_acme.sh:=, you can see I get a couple of warnings / errors

root@turris:/etc/lighttpd# /root/.acme.sh/get_acme.sh 
Warning: Unable to locate ipset utility, disabling ipset support
 * Clearing IPv4 filter table
 * Clearing IPv4 nat table
 * Clearing IPv4 mangle table
 * Clearing IPv4 raw table
 * Populating IPv4 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule #7
   * Rule #8
   * Redirect 'Turris  Lets encrypt'
   * Forward 'lan' -> 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Redirect 'Turris  Lets encrypt'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 raw table
   * Zone 'lan'
   * Zone 'wan'
 * Clearing IPv6 filter table
 * Clearing IPv6 mangle table
 * Clearing IPv6 raw table
 * Populating IPv6 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule #7
   * Rule #8
   * Forward 'lan' -> 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 raw table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/usr/share/firewall/turris'
   ! Skipping due to path error: No such file or directory
 * Running script '/etc/firewall.d/with_reload/firewall.include.sh'
 * Running script '/usr/share/miniupnpd/firewall.include'
[Sat May 26 09:16:57 BST 2018] Domains not changed.
[Sat May 26 09:16:57 BST 2018] Skip, Next renewal time is: Wed Jul 25 07:12:37 UTC 2018
[Sat May 26 09:16:57 BST 2018] Add '--force' to force to renew.
[Sat May 26 09:16:57 BST 2018] Installing cert to:/etc/lighttpd/host.crt
[Sat May 26 09:16:57 BST 2018] Installing key to:/etc/lighttpd/host.key
[Sat May 26 09:16:57 BST 2018] Installing full chain to:/etc/lighttpd/fullchain.crt
[Sat May 26 09:16:57 BST 2018] Run reload cmd: cat /etc/lighttpd/host.crt /etc/lighttpd/host.key > /etc/lighttpd/hostkey.pem
[Sat May 26 09:16:57 BST 2018] Reload success
Warning: Unable to locate ipset utility, disabling ipset support
 * Clearing IPv4 filter table
 * Clearing IPv4 nat table
 * Clearing IPv4 mangle table
 * Clearing IPv4 raw table
 * Populating IPv4 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule #7
   * Rule #8
   * Forward 'lan' -> 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 raw table
   * Zone 'lan'
   * Zone 'wan'
 * Clearing IPv6 filter table
 * Clearing IPv6 mangle table
 * Clearing IPv6 raw table
 * Populating IPv6 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule #7
   * Rule #8
   * Forward 'lan' -> 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 raw table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/usr/share/firewall/turris'
   ! Skipping due to path error: No such file or directory
 * Running script '/etc/firewall.d/with_reload/firewall.include.sh'
 * Running script '/usr/share/miniupnpd/firewall.include'

Any help much appreciated. I’m not new to linux, but it seems I’m just butting up again issues with everything I try to do with this router!

It is logical that your broswer complains. You will have to allow and exception there.

With the Let’s Encrypt script you generated certitiface for the <DOMAIN> value in acme.sh, so the xxx.ddns.net

But in local network you are access the local IP 192.168.1.1 which is not corresponding to the DNS name stored in certificate. Local IP’s cannot be put in certificates (with Let’s Encrypt or public certification authorities).

So you have two options - access the router over internet even from home or put in hosts file a record point xxx.ddns.net to the local IP.

It sound like you’re suggesting that the certificate is causing my problem. However the error that chrome is reporting does not seem like a certificate error to me. I would have said that it seems more like the router isn’t listening on port 80 any more, or the firewall is blocking it…

OK, I did not expect something such obvious.

You want a certificate to be used for HTTPS. HTTPS is not using port 80 but 443. It is part of the modification guide:

$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/lighttpd/hostkey.pem"
        ssl.ca-file = "/etc/lighttpd/fullchain.crt"
}