This guide uses https://letsencrypt.org/ and https://github.com/Neilpang/acme.sh to generate a valid SSL certificate for the EdgeRouter.
- Does not ever expose the admin GUI to the internet
- 100% /config driven, does not require modification to EdgeOS system files
- Connect via ssh to your EdgeRouter and execute the following command.
curl https://raw.githubusercontent.com/j-c-m/ubnt-letsencrypt/master/install.sh | sudo bash
- In the steps below replace/verify the following:
- subdomain.example.com - FQDN
- 192.168.1.1 - LAN IP of Router
- Configure DNS record for subdomain.example.com to your public WAN IP.
- Connect via ssh to your EdgeRouter and enter configuration mode.
-
Setup static host mapping for FQDN to the LAN IP.
set system static-host-mapping host-name subdomain.example.com inet 192.168.1.1
-
Configure cert-file location for gui.
set service gui cert-file /config/ssl/server.pem set service gui ca-file /config/ssl/ca.pem
-
Configure task scheduler to renew certificate automatically.
set system task-scheduler task renew.acme executable path /config/scripts/renew.acme.sh set system task-scheduler task renew.acme interval 1d set system task-scheduler task renew.acme executable arguments '-d subdomain.example.com'
You can include additional common names for your certificate, so long as they resolve to the same WAN address:
set system task-scheduler task renew.acme executable arguments '-d subdomain.example.com -d subdomain2.example.com'
-
Initialize your certificate.
sudo /config/scripts/renew.acme.sh -d subdomain.example.com
If you included multiple names in step 4, you'll need to include any additional names here as well.
-
Commit and save your configuration.
commit save
-
Accesss your router by going to https://subdomain.example.com
20180609 - Install script
20180605 - IPv6 support
20180213 - Deprecate -i <wandev> option
20171126 - Add ca.pem for complete certificate chain
- Temporarily disable http port forwarding during renew
20171013 - Remove reload.acme.sh
20170530 - Check wan ip
20170417 - Stop gui service during challenge
20170320 - Add multiple name support
20170317 - Change from standalone to webroot auth using lighttpd
20170224 - Bug fixes
20170110 - Born