Problem with https on uhttpd

[ThanhBT]

Hi everyone,

I using Mark V and i want to https on uhttpd, so i try install uhttpd-mod-tls and luci-ssl then restart uhttpd

root@Pineapple:~# /etc/init.d/uhttpd restart
Generating RSA private key, 1024 bit long modulus
Generating selfsigned certificate with subject 'C=DE;ST=Berlin;L=Berlin;CN=OpenWrt;' and validity 2014-03-24 12:03:50-2016-03-23 12:03:50

Then i try access to https://172.16.42.1 via web browser but i got messges

(Error code: ssl_error_rx_record_too_long)

This is my uhttpd config file

# Server configuration
config uhttpd main

	option 'index_page' 'index.php'
	option 'error_page' '/index.php'
	# HTTP listen addresses, multiple allowed
	list listen_http	0.0.0.0:80
#	list listen_http	[::]:80

	# HTTPS listen addresses, multiple allowed
	list listen_https	0.0.0.0:443
#	list listen_https	[::]:443

	# Server document root
	option home		/www

	# Reject requests from RFC1918 IP addresses
	# directed to the servers public IP(s).
	# This is a DNS rebinding countermeasure.
	option rfc1918_filter 1

	# Certificate and private key for HTTPS.
	# If no listen_https addresses are given,
	# the key options are ignored.
	option cert		/etc/uhttpd.crt
	option key		/etc/uhttpd.key

	# CGI url prefix, will be searched in docroot.
	# Default is /cgi-bin
	option cgi_prefix	/cgi-bin

	# List of extension->interpreter mappings.
	# Files with an associated interpreter can
	# be called outside of the CGI prefix and do
	# not need to be executable.
	list interpreter	".php=/usr/bin/php-cgi"
#	list interpreter	".cgi=/usr/bin/perl"


	# Lua url prefix and handler script.
	# Lua support is disabled if no prefix given.
#	option lua_prefix	/luci
#	option lua_handler	/usr/lib/lua/luci/sgi/uhttpd.lua

	# CGI/Lua timeout, if the called script does not
	# write data within the given amount of seconds,
	# the server will terminate the request with
	# 504 Gateway Timeout response.
	option script_timeout	60

	# Network timeout, if the current connection is
	# blocked for the specified amount of seconds,
	# the server will terminate the associated
	# request process.
	option network_timeout	30

	# TCP Keep-Alive, send periodic keep-alive probes
	# over established connections to detect dead peers.
	# The value is given in seconds to specify the
	# interval between subsequent probes.
	# Setting this to 0 will disable TCP keep-alive.
	option tcp_keepalive	1

	# Basic auth realm, defaults to local hostname
#	option realm	OpenWrt



# Certificate defaults for px5g key generator
config cert px5g

	# Validity time
	option days		730

	# RSA key size
	option bits		1024

	# Location
	option country		DE
	option state		Berlin
	option location		Berlin

	# Common name
	option commonname	OpenWrt

config uhttpd pineapple
        list listen_http        0.0.0.0:1471
        option home             /pineapple
        option index_page       index.php
        option 'error_page' '/index.php'
	option no_dirlists	1

	# Configuration file in busybox httpd format
	option config	/etc/config/httpd.conf
        option rfc1918_filter 1

        # Certificate and private key for HTTPS.
        # If no listen_https addresses are given,
        # the key options are ignored.
        option cert             /etc/uhttpd.crt
        option key              /etc/uhttpd.key

        # CGI url prefix, will be searched in docroot.
        # Default is /cgi-bin
        option cgi_prefix       /cgi-bin

        # List of extension->interpreter mappings.
        # Files with an associated interpreter can
        # be called outside of the CGI prefix and do
        # not need to be executable.
        list interpreter        ".php=/usr/bin/php-cgi"

        # CGI/Lua timeout, if the called script does not
        # write data within the given amount of seconds,
        # the server will terminate the request with
        # 504 Gateway Timeout response.
        option script_timeout   60

        # Network timeout, if the current connection is
        # blocked for the specified amount of seconds,
        # the server will terminate the associated
        # request process.
        option network_timeout  30

        # TCP Keep-Alive, send periodic keep-alive probes
        # over established connections to detect dead peers.
        # The value is given in seconds to specify the
        # interval between subsequent probes.
        # Setting this to 0 will disable TCP keep-alive.
        option tcp_keepalive    1

Anyone got same problem? How i can fix that, thanks for helping.

p/s: i see 2 files uhttpd.crt and uhttpd.key has been created.

[ThanhBT]

Anybody there?

[Sebkinne]

It's already reported as a bug and we will get to it soon.

Best Regards,

Sebkinne

[Sebkinne]

I have just updated the bug report:

Basically, my assumption is that the keys you generated are in the PEM format. They need to be in the DER format. See the bug report or this thread on the OpenWRT forums for more information.

If this doesn't fix your issue, please re-open the bug report.

Best Regards,

Sebkinne

[ThanhBT]

Thanks Sebkinne for your reply,

I try follow to fix that but i have some issue

With uhttpd restart it will make 2 files uhttpd.crt and uhttpd.key

I have to convert key and crt to pem file with 2 command

openssl x509 -inform DER -outform PEM -in uhttpd.crt -out uhttpd.crt.pem
openssl rsa -inform DER -outform PEM -in uhttpd.key -out uhttpd.key.pem

So change name uhttpd.key and uhttpd.crt to uhttpd_org.key, uhttpd_org.crt then convert again to make new uhttpd crt and key

openssl rsa -in uhttpd.key.pem -outform DER -out uhttpd.key
openssl x509 -in uhttpd.crt.pem -outform DER -out uhttpd.crt

All proccess i had done

root@Pineapple:/etc# /etc/init.d/uhttpd restart
Generating RSA private key, 512 bit long modulus
Generating selfsigned certificate with subject 'C=DE;ST=Berlin;L=Berlin;CN=OpenWrt;' and validity 2014-04-04 08:19:19-2016-04-03 08:19:19
root@Pineapple:/etc# openssl x509 -inform DER -outform PEM -in uhttpd.crt -out uhttpd.crt.pem
root@Pineapple:/etc# openssl rsa -inform DER -outform PEM -in uhttpd.key -out uhttpd.key.pem
writing RSA key
root@Pineapple:/etc# mv uhttpd.key uhttpd_org.key
root@Pineapple:/etc# mv uhttpd.crt uhttpd_crt.key
root@Pineapple:/etc# openssl rsa -in uhttpd.key.pem -outform DER -out uhttpd.key
writing RSA key
root@Pineapple:/etc# openssl x509 -in uhttpd.crt.pem -outform DER -out uhttpd.crt

Then restart uhttpd and try access https but problem still there.

[wifihack]

I have a same problem, I fix into bug of Sebkinne but I have some issue as ThanhBT! How I can fix that? Thanks for helping!

[Sebkinne]

I didn't use the Pineapple to generate my keys. It's possible that the OpenWRT package which generates them has some issues.

Best regards,

Sebkinne

[hna32x]

Final solution...

Step 0: Install uhttpd-mod-tls

Step 1: Generate a Private Key by means of openssl utility (Linux)

openssl genrsa -des3 -out server.key 1024

Step 2: Generate a CSR (Certificate Signing Request)

openssl req -new -key server.key -out server.csr

Step 3: Remove Passphrase from Key

cp server.key server.key.org

openssl rsa -in server.key.org -out server.key

Step 4: Generating a Self-Signed Certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Step 5: Installing the Private Key and Certificate

cp server.crt /etc/uhttpd.crt

cp server.key /etc/uhttpd.key

Step 5: Edit /etc/config/uhttpd.conf:

option home /pineapple

list listen_https 0.0.0.0:443

(+comment out any related cert generation options)

Step 6:/etc/init.d/uhttpd restart

Step 7: Go to https://172.16.42.1:443/index.php

P.S. It's not opening index.php automatically on IP:port opening, i can't handle it..

[Sebkinne]

Final solution...

Step 0: Install uhttpd-mod-tls

Step 1: Generate a Private Key by means of openssl utility (Linux)

openssl genrsa -des3 -out server.key 1024

Step 2: Generate a CSR (Certificate Signing Request)

openssl req -new -key server.key -out server.csr

Step 3: Remove Passphrase from Key

cp server.key server.key.org

openssl rsa -in server.key.org -out server.key

Step 4: Generating a Self-Signed Certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Step 5: Installing the Private Key and Certificate

cp server.crt /etc/uhttpd.crt

cp server.key /etc/uhttpd.key

Step 5: Edit /etc/config/uhttpd.conf:

option home /pineapple

list listen_https 0.0.0.0:443

(+comment out any related cert generation options)

Step 6:/etc/init.d/uhttpd restart

Step 7: Go to https://172.16.42.1:443/index.php

P.S. It's not opening index.php automatically on IP:port opening, i can't handle it..

This is outdated as from 1.4.0 onward we have moved to nginx - which is MUCH faster than uhttp and also easier to set up in regards to https.

Best Regards,

Sebkinne

[hna32x]

This is outdated as from 1.4.0 onward we have moved to nginx - which is MUCH faster than uhttp and also easier to set up in regards to https.

Best Regards,

Sebkinne

Yes, i see nginx in 1.4.1, but uhhtpd is still there also, it's not gone. For now my solution is the only solution published for MARK V.

[Sebkinne]

Yes, i see nginx in 1.4.1, but uhhtpd is still there also, it's not gone. For now my solution is the only solution published for MARK V.

That's not correct. We have removed uhttpd from 1.4.1 entirely. You may have installed it manually or maybe an infusion installed it, but we do not have it in the firmware.

While these instructions may work for you, and anyone running uhttpd, they do not work out of the box on < 1.4.1.

In regards to there being no solution published for the MKV as of 1.4.0, this is correct. It's a rather trivial process for nginx.

Best regards,

Sebkinne