Closed kenperkins closed 7 years ago
The nc included in the base image does not support those options. However, once everything else is configured it seems to not require use of those options.
I noticed I missed this from the instructions, but is subdomain.example.com resolving to the public IP address of your router?
Yes, I've got my WAN IP properly mapped to a dns name.
I was wondering about the config for the WebUI, from the readme:
Does not ever expose the admin GUI to the internet
set service gui listen-address 192.168.1.1
How can the LE process work when the webUI is not exposed publically?
Acme.sh runs the most minimalist of web servers using netcat (nc) to respond to the challenge directly. The configuration of the gui listen-address is to get out of the way of this, it seems the most common default of an Edgerouter configuration is to have the gui listen on all addresses, firewalled on all but LAN.
OK. So you're spinning up a transient server though acme as opposed to adding a route in the existing edgerouter lighttpd config. Got it. So then the question is how to enable that traffic through my firewall. Let me do some testing.
I've put these two rules on my WAN-LOCAL
firewall rule set:
rule 15 {
action accept
description "Allow LetsEncrypt Traffic TCP 443"
destination {
port 443
}
log disable
protocol tcp
}
rule 16 {
action accept
description "Allow LetsEncrypt Traffic TCP 80"
destination {
port 80
}
log disable
protocol tcp
}
...
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN-IN
}
local {
name WAN-LOCAL
}
}
speed auto
}
Just getting router.mydomain.com: Verify error:Could not connect to router.mydomain.com
I'm guessing there's some interaction that is blocking the acme service from receiving requests but I don't know how to test/debug it.
Commenting out the return statement when checking for the -4
option in acme.sh did indeed unblock me.
Glad to hear you got it working. Others have had issues with netcat like this that I haven't been able to reproduce, I think I am going to alter the script to not rely on netcat. Plan to spin up a bespoke instance of lighttpd and use webroot.
I didn't realize you were manually allowing http through iptables directly in your wrapper so that was a bit of a red herring.
Yep a quick temporary rule. In any case I've updated renew.acme.sh (e6cd9d6ccc10029511d5331cf16f409365f351e5) to use webroot behind a temporary lighttpd webserver. This should more robust than relying on netcat.
My certificate initialization fails further down but I think that's because my firewall rules are blocking, but I don't know if this
nc
issue is related.