Always know how to do... whatever using the cli.
-
Obtain the server key, server cert and intermediate cert in PEM format. I use letsencrypt.org, and so name my intermediate cert "letsencrypt-chain.crt". The system doesn't care what you use as a filename extension. I usually use ".key" for keys, and ".crt" for certs. In the case of the combo cert I used ".pem" just because...
-
Combine the server key and cert into a single file (in that order):
$ cat server-key.pem server-cert.pem > _.example.com-combo.pem
You can name things anything you want so long as you make sure the lighttpd uses those names (see more on that below). I always name my keys and certs for the server they're being used for: the "_." is what I use for wildcard certs.
-
Upload the combo key and cert, along with the intermediate cert, to the router (I use either scp or sftp).
-
If this is the first time you're installing ssl certs to the router, log into the router and make yourself root (
sudo su -
) to create the directories under /config (where they won't be overwritten by the next firmware update) that will hold the certs:
$ sudo su -
# mkdir -p /config/ssl/certs
# mkdir -p /config/ssl/private
# chown -R root:root /config/ssl
# chmod go-rx /config/ssl/private
(be sure to remove read and execute permissions for "group" and "other" from anything you copy to /config/ssl/private)
- Login to the router over ssh and copy the intermediate cert to /config/ssl/certs as admin, for example:
$ sudo cp letsencrypt-chain.pem /config/ssl/certs
- Then copy the combo key and cert to /config/ssl/private as admin:
$ sudo cp _.example.com-combo.pem /config/ssl/private
Be sure that only root can read this (because it contains your server key):
$ sudo chmod 600 /config/ssl/private/_.example.com-combo.pem
- If this is the first time you're installing SSL certs on the router, reconfigure the 10-ssl.conf file so it points to where your certs are:
$ configure
# set service gui cert-file /config/ssl/private/_.example.com-combo.pem
# set service gui ca-file /config/ssl/certs/letsencrypt-chain.crt
# commit
# save
$
From this point on you shouldn't need to touch this config, unless you do something like change the name of the certs involved.
- Restart lighttpd:
$ sudo systemctl stop lighttpd
$ sudo systemctl start lighttpd
I've updated this procedure in light of recent experience after a firmware update. I think it's much better now.