Skip to content

Instantly share code, notes, and snippets.

@husjon
Forked from alexandrusavin/binds_on_mount.sh
Created June 8, 2023 17:52
Show Gist options
  • Save husjon/81efa207166e937d328350dd3db12911 to your computer and use it in GitHub Desktop.
Save husjon/81efa207166e937d328350dd3db12911 to your computer and use it in GitHub Desktop.
Add letsencrypt certificate to dd-wrt web interface
#!/bin/sh
if [ `nvram get https_enable` -gt 0 ] ; then
# get the absolute directory of the executable
SELF_PATH=$(cd -P "$(dirname "$0")" && pwd -P)
echo SELF_PATH: ${SELF_PATH}
# extract the mount path
MOUNT_PATH=`echo ${SELF_PATH} | cut -d / -f1-2`
echo MOUNT_PATH: ${MOUNT_PATH}
# do binds
for BIND_PATH in '/jffs' ; do
echo Binding ${BIND_PATH}
if [ "${MOUNT_PATH}" != "${BIND_PATH}" ]; then
grep -q -e "${BIND_PATH}" /proc/mounts || mount -o bind ${MOUNT_PATH}${BIND_PATH} ${BIND_PATH}
fi
done
HTTPS_RESET=0
if [ `pidof httpd` -gt 0 ]; then
echo Stopping httpd
stopservice httpd
HTTPS_RESET=1
fi
echo Binding HTTPS certifcate
grep -q -e "/etc/cert.pem" /proc/mounts || mount -o bind ${MOUNT_PATH}/etc/cert.pem /etc/cert.pem
grep -q -e "/etc/key.pem" /proc/mounts || mount -o bind ${MOUNT_PATH}/etc/key.pem /etc/key.pem
grep -q -e "/etc/privkey.pem" /proc/mounts || mount -o bind ${MOUNT_PATH}/etc/privkey.pem /etc/privkey.pem
if [ "$HTTPS_RESET" = "1" ]; then
echo Starting httpd
startservice httpd
unset HTTPS_RESET
fi
fi

Inspired from this blog post.

  1. Prepare the router

    1. Use portfw to forward port 80 and 445 to the ip of the computer where you have certbot installed

    2. Enable Secure Shell from Services tab

    3. Enable JFFS2 Support form Administration tab

  2. Create the certificate files

    1. Install certbot

      brew install certbot

    2. Go to a folder where you will configure certbot

    3. Execute certbot to create the certificate

      certbot certonly --standalone --config-dir . --logs-dir . --work-dir .

      If it says it cannot bind to port 80 it means you need to add sudo to the above command. If the case then you'll need to change ownsership (chow) of the live and ../../archive folders to get access in the next steps.

    4. cd to ./live/[your.domain]

    5. Create rsa key from private key

      openssl rsa -in privkey.pem -out key.pem

  3. Put the certificate files into the router

    1. cd to jffs

      cd /jffs

    2. create startup folder

      mkdir startup && cd startup

    3. create the script (binds_on_mount.sh) that binds certificate files and make it executable

      chmod +x binds_on_mount.sh

    4. create etc folder in jffs and cd in it

      mkdir /jffs/etc && cd /jffs/etc

    5. create the certificate files from local certbot files

      1. paste contents of key.pem, cert.pem and privkey.pem into their respective file in /jffs/etc
  4. Remove portfw and enable Web GUI Management remote access from Administration tab

    1. Web Access

      1. Protocol: Check https and Uncheck http
    2. Remote Access

      1. Web GUI Management: Enable

      2. Web GUI Port: 443

  5. Test by executing the script and then try to access the web gui. If the browser has a green lock next to the address than everything is correct.

  6. Add command to execute the script on startup

    1. save this command as Startup in Administration > Commands

      cd /jffs/startup && ./binds_on_mount.sh > ./log

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment