Jump to navigation Jump to search

It is needlessly confusing, even with the OpenWRT GUI interface...


opkg update

opkg install luci-ssl-openssl luci-app-uhttpd

Configuration File(s) Location(s)


Default location for HTTPS / Certificate related files: /etc

Working Configuration File (with a catch)

The catch is that the uhttpd.crt and uhttpd.key file must exist (read on)

config uhttpd 'main'
	option home '/www'
	option rfc1918_filter '1'
	option max_requests '3'
	option max_connections '100'
	option cgi_prefix '/cgi-bin'
	list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
	option script_timeout '60'
	option network_timeout '30'
	option http_keepalive '20'
	option tcp_keepalive '1'
	option cert '/etc/uhttpd.crt'
	option key '/etc/uhttpd.key'
	list listen_http ''
	list listen_https ''
	option redirect_https '1'

config cert 'defaults'
	option days '730'
	option key_type 'rsa'
	option bits '2048'
	option ec_curve 'P-256'
	option country 'ZZ'
	option state 'Somewhere'
	option location 'Unknown'
	option commonname 'OpenWrt'
Configuring SSL with the LuCI GUI

Here's why the GUI is a bit misleading: There are two buttons that prompt one to "Select file". What it doesn't say is that the "Remove old certificate and key" Button will not work reliably unless the above information is configured in the /etc/config/uhttpd file.

In fact after an hour of testing the LuCU HTTPD GUI was so wonky and unpredictable, it became pointless to give explicit directions. That combined with a rather curious feature of clicking on the "Remove old certificate and key" Button redirecting to a URL that claims it "can't display this page", but is the exact same as the one can go "back" to, that works.

Items of Note

The "Redirect all HTTP to HTTPS" check box should be renamed to "Redirect all HTTP to HTTPS (if HTTPS is available)". IE, if that check box / setting is enabled AND HTTPS is not functional, HTTP will work. This is a good thing. Otherwise the LuCI GUI wouldn't work.

The Remove configuration for certificate and key button should have it's help information re-written to this: Clicking this button will result in the deletion of HTTPS related certificate information. This includes settings and the files (/etc/uhttpd.crt and /etc/uhttpd.key by default).

Do not put in the entry: list listen_https ''

...unless this is also set to enabled: option redirect_https '1' (if it isn't set to enabled, the above 443 entry by itself will break access to port 80)

The "Add" Button is misleading because of its placement. It has nothing to do with certificates. It generates configuration for an additional instance of the LuCI GUI. Really useful. Not.

The "Remove old certificate and key" Button is very unpredictable based on too many variables to keep track of. See above section on how to manipulate it into creating a certificate file. Wow! Here's an idea: What about a button that says "Generate New Certificate (based on the below information)"* *Note: This will delete the old certificate related information and replace it with new information. Oh, and also make it work by having some GUI validation that doesn't allow checking of the use HTTPS unless there is certificate information available. And about a dozen other things.

Bottom line is that this LuCI GUI is rough and needs some tweaks. You're better off using text files to configure UHTTPD.