ThanhBT Posted March 24, 2014 Posted March 24, 2014 Hi everyone, I using Mark V and i want to https on uhttpd, so i try install uhttpd-mod-tls and luci-ssl then restart uhttpd root@Pineapple:~# /etc/init.d/uhttpd restart Generating RSA private key, 1024 bit long modulus Generating selfsigned certificate with subject 'C=DE;ST=Berlin;L=Berlin;CN=OpenWrt;' and validity 2014-03-24 12:03:50-2016-03-23 12:03:50 Then i try access to https://172.16.42.1 via web browser but i got messges (Error code: ssl_error_rx_record_too_long) This is my uhttpd config file # Server configuration config uhttpd main option 'index_page' 'index.php' option 'error_page' '/index.php' # HTTP listen addresses, multiple allowed list listen_http 0.0.0.0:80 # list listen_http [::]:80 # HTTPS listen addresses, multiple allowed list listen_https 0.0.0.0:443 # list listen_https [::]:443 # Server document root option home /www # Reject requests from RFC1918 IP addresses # directed to the servers public IP(s). # This is a DNS rebinding countermeasure. option rfc1918_filter 1 # Certificate and private key for HTTPS. # If no listen_https addresses are given, # the key options are ignored. option cert /etc/uhttpd.crt option key /etc/uhttpd.key # CGI url prefix, will be searched in docroot. # Default is /cgi-bin option cgi_prefix /cgi-bin # List of extension->interpreter mappings. # Files with an associated interpreter can # be called outside of the CGI prefix and do # not need to be executable. list interpreter ".php=/usr/bin/php-cgi" # list interpreter ".cgi=/usr/bin/perl" # Lua url prefix and handler script. # Lua support is disabled if no prefix given. # option lua_prefix /luci # option lua_handler /usr/lib/lua/luci/sgi/uhttpd.lua # CGI/Lua timeout, if the called script does not # write data within the given amount of seconds, # the server will terminate the request with # 504 Gateway Timeout response. option script_timeout 60 # Network timeout, if the current connection is # blocked for the specified amount of seconds, # the server will terminate the associated # request process. option network_timeout 30 # TCP Keep-Alive, send periodic keep-alive probes # over established connections to detect dead peers. # The value is given in seconds to specify the # interval between subsequent probes. # Setting this to 0 will disable TCP keep-alive. option tcp_keepalive 1 # Basic auth realm, defaults to local hostname # option realm OpenWrt # Certificate defaults for px5g key generator config cert px5g # Validity time option days 730 # RSA key size option bits 1024 # Location option country DE option state Berlin option location Berlin # Common name option commonname OpenWrt config uhttpd pineapple list listen_http 0.0.0.0:1471 option home /pineapple option index_page index.php option 'error_page' '/index.php' option no_dirlists 1 # Configuration file in busybox httpd format option config /etc/config/httpd.conf option rfc1918_filter 1 # Certificate and private key for HTTPS. # If no listen_https addresses are given, # the key options are ignored. option cert /etc/uhttpd.crt option key /etc/uhttpd.key # CGI url prefix, will be searched in docroot. # Default is /cgi-bin option cgi_prefix /cgi-bin # List of extension->interpreter mappings. # Files with an associated interpreter can # be called outside of the CGI prefix and do # not need to be executable. list interpreter ".php=/usr/bin/php-cgi" # CGI/Lua timeout, if the called script does not # write data within the given amount of seconds, # the server will terminate the request with # 504 Gateway Timeout response. option script_timeout 60 # Network timeout, if the current connection is # blocked for the specified amount of seconds, # the server will terminate the associated # request process. option network_timeout 30 # TCP Keep-Alive, send periodic keep-alive probes # over established connections to detect dead peers. # The value is given in seconds to specify the # interval between subsequent probes. # Setting this to 0 will disable TCP keep-alive. option tcp_keepalive 1 Anyone got same problem? How i can fix that, thanks for helping. p/s: i see 2 files uhttpd.crt and uhttpd.key has been created. Quote
Sebkinne Posted March 27, 2014 Posted March 27, 2014 It's already reported as a bug and we will get to it soon. Best Regards, Sebkinne Quote
Sebkinne Posted March 30, 2014 Posted March 30, 2014 I have just updated the bug report: Basically, my assumption is that the keys you generated are in the PEM format. They need to be in the DER format. See the bug report or this thread on the OpenWRT forums for more information. If this doesn't fix your issue, please re-open the bug report. Best Regards, Sebkinne Quote
ThanhBT Posted April 4, 2014 Author Posted April 4, 2014 Thanks Sebkinne for your reply, I try follow to fix that but i have some issue With uhttpd restart it will make 2 files uhttpd.crt and uhttpd.key I have to convert key and crt to pem file with 2 command openssl x509 -inform DER -outform PEM -in uhttpd.crt -out uhttpd.crt.pem openssl rsa -inform DER -outform PEM -in uhttpd.key -out uhttpd.key.pem So change name uhttpd.key and uhttpd.crt to uhttpd_org.key, uhttpd_org.crt then convert again to make new uhttpd crt and key openssl rsa -in uhttpd.key.pem -outform DER -out uhttpd.key openssl x509 -in uhttpd.crt.pem -outform DER -out uhttpd.crt All proccess i had done root@Pineapple:/etc# /etc/init.d/uhttpd restart Generating RSA private key, 512 bit long modulus Generating selfsigned certificate with subject 'C=DE;ST=Berlin;L=Berlin;CN=OpenWrt;' and validity 2014-04-04 08:19:19-2016-04-03 08:19:19 root@Pineapple:/etc# openssl x509 -inform DER -outform PEM -in uhttpd.crt -out uhttpd.crt.pem root@Pineapple:/etc# openssl rsa -inform DER -outform PEM -in uhttpd.key -out uhttpd.key.pem writing RSA key root@Pineapple:/etc# mv uhttpd.key uhttpd_org.key root@Pineapple:/etc# mv uhttpd.crt uhttpd_crt.key root@Pineapple:/etc# openssl rsa -in uhttpd.key.pem -outform DER -out uhttpd.key writing RSA key root@Pineapple:/etc# openssl x509 -in uhttpd.crt.pem -outform DER -out uhttpd.crt Then restart uhttpd and try access https but problem still there. Quote
wifihack Posted April 11, 2014 Posted April 11, 2014 I have a same problem, I fix into bug of Sebkinne but I have some issue as ThanhBT! How I can fix that? Thanks for helping! Quote
Sebkinne Posted April 11, 2014 Posted April 11, 2014 I didn't use the Pineapple to generate my keys. It's possible that the OpenWRT package which generates them has some issues. Best regards, Sebkinne Quote
hna32x Posted June 7, 2014 Posted June 7, 2014 Final solution... Step 0: Install uhttpd-mod-tls Step 1: Generate a Private Key by means of openssl utility (Linux) openssl genrsa -des3 -out server.key 1024 Step 2: Generate a CSR (Certificate Signing Request) openssl req -new -key server.key -out server.csr Step 3: Remove Passphrase from Key cp server.key server.key.org openssl rsa -in server.key.org -out server.key Step 4: Generating a Self-Signed Certificate openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Step 5: Installing the Private Key and Certificate cp server.crt /etc/uhttpd.crt cp server.key /etc/uhttpd.key Step 5: Edit /etc/config/uhttpd.conf: option home /pineapple list listen_https 0.0.0.0:443 (+comment out any related cert generation options) Step 6:/etc/init.d/uhttpd restart Step 7: Go to https://172.16.42.1:443/index.php P.S. It's not opening index.php automatically on IP:port opening, i can't handle it.. Quote
Sebkinne Posted June 7, 2014 Posted June 7, 2014 Final solution... Step 0: Install uhttpd-mod-tls Step 1: Generate a Private Key by means of openssl utility (Linux) openssl genrsa -des3 -out server.key 1024 Step 2: Generate a CSR (Certificate Signing Request) openssl req -new -key server.key -out server.csr Step 3: Remove Passphrase from Key cp server.key server.key.org openssl rsa -in server.key.org -out server.key Step 4: Generating a Self-Signed Certificate openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Step 5: Installing the Private Key and Certificate cp server.crt /etc/uhttpd.crt cp server.key /etc/uhttpd.key Step 5: Edit /etc/config/uhttpd.conf: option home /pineapple list listen_https 0.0.0.0:443 (+comment out any related cert generation options) Step 6:/etc/init.d/uhttpd restart Step 7: Go to https://172.16.42.1:443/index.php P.S. It's not opening index.php automatically on IP:port opening, i can't handle it.. This is outdated as from 1.4.0 onward we have moved to nginx - which is MUCH faster than uhttp and also easier to set up in regards to https. Best Regards, Sebkinne Quote
hna32x Posted June 7, 2014 Posted June 7, 2014 This is outdated as from 1.4.0 onward we have moved to nginx - which is MUCH faster than uhttp and also easier to set up in regards to https. Best Regards, Sebkinne Yes, i see nginx in 1.4.1, but uhhtpd is still there also, it's not gone. For now my solution is the only solution published for MARK V. Quote
Sebkinne Posted June 7, 2014 Posted June 7, 2014 Yes, i see nginx in 1.4.1, but uhhtpd is still there also, it's not gone. For now my solution is the only solution published for MARK V. That's not correct. We have removed uhttpd from 1.4.1 entirely. You may have installed it manually or maybe an infusion installed it, but we do not have it in the firmware. While these instructions may work for you, and anyone running uhttpd, they do not work out of the box on < 1.4.1. In regards to there being no solution published for the MKV as of 1.4.0, this is correct. It's a rather trivial process for nginx. Best regards, Sebkinne Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.