Skip to content


Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Let's Encrypt Certificates for Turris Omnia

This config utilises the client to issue Let's Encrypt certificates for use wtih the Turris Omnia web interface.

If you're looking to issue and manage just a single certificate within OpenWrt, see the official, packaged-based solution at

Adapted in part from the instructions at for improved security and simplicity; this setup should work fine for other OpenWrt devices using lighttpd.

Key features

  • Uses client for free TLS certificates

  • Uses hook scripts to simplify issue and renewal process

  • Opportunistically opens and closes firewall port 80

  • Restarts lighttpd to deploy certificates (requires lighttpd 1.4.53 for ssl.privkey support)

  • Configures lighttpd for TLSv1.3 only following Mozilla's config generator.

  • Disables lighttpd from running insecurely on port 80

    • HSTS handles the odd case where you forget or are too lazy to type in the https:// at the start. Just load the https:// URL once and your browser will remember for you forever.


This installs the project and files in /srv, which is the default path for external storage on a Turris device, but you can install wherever you'd like.

  1. Download this project:

    opkg install git-http
    git clone /srv/turris-omnia-tls
  2. Determine the latest version of by checking Note the release version (which is the tag name); you'll use it in the next step, substituting for [VERSION].

  3. Install client and its dependency, socat:

    opkg install socat
    git clone -b [VERSION] /srv/
    cd /srv/
    ./ --install --home /srv/ --nocron
  4. Disable the existing SSL configuration:

    mv /etc/lighttpd/conf.d/ssl-enable.conf /etc/lighttpd/conf.d/ssl-enable.conf.disabled
  5. Lighttpd needs to stop listening on port 80 so modify /etc/lighttpd/lighttpd.conf to comment out this line:

    $SERVER["socket"] == "[::]:80" {   }
  6. Stop lighttpd; we will enable it again shortly:

    /etc/init.d/lighttpd stop
  7. Issue the certificate:

  8. Reconfigure lighttpd with the supplied custom configuration:

    cp /srv/turris-omnia-tls/lighttpd_custom.conf /etc/lighttpd/conf.d/

    Inside this file, replace the placeholders with your FQDN. You can do this automatically by running the following command, taking care to specify your FQDN in place of [YOUR.DOMAIN.COM]:

    sed -i 's/[YOUR.DOMAIN.COM]/g' /etc/lighttpd/conf.d/lighttpd_custom.conf
  9. Restart lighttpd:

    /etc/init.d/lighttpd start
  10. Add crontab entry for renewal; pick a random minute and hour:

    echo '34 0 * * * /srv/turris-omnia-tls/ > /dev/null' >> /etc/crontabs/root

    The renewal process will automatically re-use the settings for certificates that were issued.

Issuing more certificates

Run the following:


Note that this will automatically configure relevant hooks to run before and after certificate issuance. If you want to adjust this behaviour your can either copy and customise the command inside before you run it the first time or go and modify the configuration that generates in /etc/lighttpd/certs/, where is the name of your domain.


Run the following; after fetching, you'll see the latest version tag:

cd /srv/
git fetch
git checkout [VERSION]
./ --install --home /srv/ --nocron




Let's Encrypt TLS certificate configuration for the Turris Omnia







No releases published


No packages published