I’m using OpenWrt R21.8.6 by compile it from coolsnowwolf/lede.
1. Install softwares on Openwrt
- acme
- ddns-scripts (This originally built when compile the firmware)
2. DDNS configuration
DNS System
Creating a dynamic DNS record on your DNS service provider (Mine is running over dns.he.net)
![Dynamic DNS A Record - New]()
Dynamic DNS A Record - New Generate password for DDNS
![Dynamic DNS A Record password - entry]()
Dynamic DNS A Record password - entry ![Dynamic DNS A Record password - generate]()
Dynamic DNS A Record password - generate Configuration on Openwrt
Find ‘Services’ on the top bar, then go to “Dynamic DNS”
![Openwrt DDNS configuration 1]()
Openwrt DDNS configuration 1 Give the record a name and click ‘Add’ button
![Openwrt DDNS configuration 2]()
Openwrt DDNS configuration 2 Find and switch the DNS service as you’re using
![Openwrt DDNS configuration 3]()
Openwrt DDNS configuration 3 Enable the service and enter your dynamic record and password after the UI updated with the provider been switched, click ‘Save & Apply’ in the corner when the configuration is done
![Openwrt DDNS configuration 4]()
Openwrt DDNS configuration 4 Just in case, check the “Advanced Settings” tab and make sure it is the interface connects to Internet
![Openwrt DDNS configuration 5]()
Openwrt DDNS configuration 5 Refresh the page, the process should be running when PID is there in the “Process ID Start / Stop” column
![Openwrt DDNS configuration 5]()
Openwrt DDNS configuration 5 The Process can be started by clicking ‘Start’ button
![Openwrt DDNS configuration 5]()
Openwrt DDNS configuration 5 Verification
Check on the DNS system, the record will be updated to the public IP
3. Generating Cert by using ACME via DNS API
Find and download the script for DNS from acmesh-official/acme.sh
For me, I downloaded dns_he.sh
Edit the script by adding the username/password
![Openwrt ACME 1]()
Openwrt ACME 1 Note: Don’t share your credential with others
Configuration on Openwrt
Install acme service
root@OpenWrt:~# cd /usr/lib/acme/ root@OpenWrt:/usr/lib/acme# ./acme.sh --installThe output when installation is good
[Fri Sep 17] Installing to /root/.acme.sh [Fri Sep 17] Installed to /root/.acme.sh/acme.sh [Fri Sep 17] No profile is found, you will need to go into /root/.acme.sh to use acme.sh [Fri Sep 17] Installing cron job [Fri Sep 17] OKConfiguration
root@OpenWrt:~# cd /root/.acme.sh root@OpenWrt:~/.acme.sh# mkdir dnsapiUpload the file:
dns_he.shto the new created folder:/root/.acme.sh/dnsapiCertificate generation
./acme.sh --register-account -m ${your_email} --server letsencrypt --issue --dns dns_he -d ${your_domain_name}The output will be if everything works
[Fri Sep 17] Using CA: https://acme-v02.api.letsencrypt.org/directory [Fri Sep 17] Creating domain key [Fri Sep 17] The domain key is here: /root/.acme.sh/ [Fri Sep 17] Single domain='{__omitted__}' [Fri Sep 17] Getting domain auth token for each domain [Fri Sep 17] Getting webroot for domain='{__omitted__}' [Fri Sep 17] Adding txt value: ___ for domain: _acme-challenge.{__omitted__} [Fri Sep 17] Using DNS-01 Hurricane Electric hook [Fri Sep 17] TXT record added successfully. [Fri Sep 17] The txt record is added: Success. [Fri Sep 17] Let's check each DNS record now. Sleep 20 seconds first. [Fri Sep 17] You can use '--dnssleep' to disable public dns checks. [Fri Sep 17] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck [Fri Sep 17] Checking {__omitted__} for _acme-challenge.{__omitted__} [Fri Sep 17] Domain {__omitted__} '_acme-challenge.{__omitted__}' success. [Fri Sep 17] All success, let's return [Fri Sep 17] Verifying: {__omitted__} [Fri Sep 17] Success [Fri Sep 17] Removing DNS records. [Fri Sep 17] Removing txt: ___ for domain: _acme-challenge.{__omitted__} [Fri Sep 17] Cleaning up after DNS-01 Hurricane Electric hook [Fri Sep 17] Record removed successfully. [Fri Sep 17] Removed: Success [Fri Sep 17] Verify finished, start to sign. [Fri Sep 17] Lets finalize the order. [Fri Sep 17] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/163482020/25029386060' [Fri Sep 17] Downloading cert. [Fri Sep 17] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03f18ca7f43ee3225f7ff175c2d0ef4cd05a' [Fri Sep 17] Cert success. {Certificate key content} [Fri Sep 17] Your cert is in /root/.acme.sh/{__omitted__}/{__omitted__}.cer [Fri Sep 17] Your cert key is in /root/.acme.sh/{__omitted__}/{__omitted__}.key [Fri Sep 17] The intermediate CA cert is in /root/.acme.sh/{__omitted__}/ca.cer [Fri Sep 17] And the full chain certs is there: /root/.acme.sh/{__omitted__}/fullchain.cer
Reference
- https://openwrt.org/releases/21.02/notes-21.02.0
- https://github.com/coolsnowwolf/lede
- https://dns.he.net/
- https://github.com/acmesh-official/acme.sh
- https://github.com/acmesh-official/acme.sh/wiki/dnsapi
Scan the QR code using WeChat