Let's Encrypt Certificates for Turris Omnia
This config utilises the Acme.sh client to issue Let's Encrypt certificates for use wtih the Turris Omnia web interface.
If you're looking to issue and manage just a single certificate within OpenWrt, see the official, packaged-based solution at https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT.
Adapted in part from the instructions at https://doc.turris.cz/doc/en/public/letencrypt_turris_lighttpd for improved security and simplicity; this setup should work fine for other OpenWrt devices using lighttpd.
Key features
-
Uses Acme.sh client for free TLS certificates
-
Uses hook scripts to simplify issue and renewal process
-
Opportunistically opens and closes firewall port 80
-
Restarts lighttpd to deploy certificates (requires lighttpd 1.4.53 for
ssl.privkey
support) -
Configures lighttpd for TLSv1.3 only following Mozilla's config generator.
-
Disables lighttpd from running insecurely on port 80
- HSTS handles the odd case where you forget or are too lazy to type in the
https://
at the start. Just load thehttps://
URL once and your browser will remember for you forever.
- HSTS handles the odd case where you forget or are too lazy to type in the
Installation
This installs the project and files in /srv
, which is the default path for
external storage on a Turris device, but you can install wherever you'd like.
-
Download this project:
opkg install git-http git clone https://github.com/davidjb/turris-omnia-tls.git /srv/turris-omnia-tls
-
Determine the latest version of
acme.sh
by checking https://github.com/acmesh-official/acme.sh/releases. Note the release version (which is the tag name); you'll use it in the next step, substituting for[VERSION]
. -
Install
acme.sh
client and its dependency,socat
:opkg install socat git clone https://github.com/acmesh-official/acme.sh -b [VERSION] /srv/acme.sh cd /srv/acme.sh ./acme.sh --install --home /srv/.acme.sh --nocron
-
Disable the existing SSL configuration:
mv /etc/lighttpd/conf.d/ssl-enable.conf /etc/lighttpd/conf.d/ssl-enable.conf.disabled
-
Lighttpd needs to stop listening on port 80 so modify
/etc/lighttpd/lighttpd.conf
to comment out this line:$SERVER["socket"] == "[::]:80" { }
-
Stop lighttpd; we will enable it again shortly:
/etc/init.d/lighttpd stop
-
Issue the certificate:
/srv/turris-omnia-tls/cert-issue.sh your.domain.com
-
Reconfigure lighttpd with the supplied custom configuration:
cp /srv/turris-omnia-tls/lighttpd_custom.conf /etc/lighttpd/conf.d/
Inside this file, replace the
domain.example.com
placeholders with your FQDN. You can do this automatically by running the following command, taking care to specify your FQDN in place of[YOUR.DOMAIN.COM]
:sed -i 's/domain.example.com/[YOUR.DOMAIN.COM]/g' /etc/lighttpd/conf.d/lighttpd_custom.conf
-
Restart
lighttpd
:/etc/init.d/lighttpd start
-
Add crontab entry for renewal; pick a random minute and hour:
echo '34 0 * * * /srv/turris-omnia-tls/cert-renew.sh > /dev/null' >> /etc/crontabs/root
The renewal process will automatically re-use the settings for certificates that were issued.
Issuing more certificates
Run the following:
/srv/turris-omnia-tls/cert-issue.sh extra.example.com
Note that this will automatically configure relevant hooks to run before and after certificate
issuance. If you want to adjust this behaviour your can either copy and customise the command
inside cert-issue.sh
before you run it the first time or go and modify the configuration
that acme.sh
generates in /etc/lighttpd/certs/extra.example.com/extra.example.com.conf
,
where extra.example.com
is the name of your domain.
Upgrading acme.sh
Run the following; after fetch
ing, you'll see the latest version tag:
cd /srv/acme.sh
git fetch
git checkout [VERSION]
./acme.sh --install --home /srv/.acme.sh --nocron
License
MIT. See LICENSE.txt.