openwrt DDNS, acme commands

Posted on September 15, 2021

I’m using OpenWrt R21.8.6 by compile it from coolsnowwolf/lede.

1. Install softwares on Openwrt

  • acme
  • ddns-scripts (This originally built when compile the firmware)

2. DDNS configuration

  • DNS System

    Creating a dynamic DNS record on your DNS service provider (Mine is running over dns.he.net)

    Dynamic DNS A Record - New
    Dynamic DNS A Record - New

    Generate password for DDNS

    Dynamic DNS A Record password - entry
    Dynamic DNS A Record password - entry
    Dynamic DNS A Record password - generate
    Dynamic DNS A Record password - generate

  • Configuration on Openwrt

    Find ‘Services’ on the top bar, then go to “Dynamic DNS”

    Openwrt DDNS configuration 1
    Openwrt DDNS configuration 1

    Give the record a name and click ‘Add’ button

    Openwrt DDNS configuration 2
    Openwrt DDNS configuration 2

    Find and switch the DNS service as you’re using

    Openwrt DDNS configuration 3
    Openwrt DDNS configuration 3

    Enable the service and enter your dynamic record and password after the UI updated with the provider been switched, click ‘Save & Apply’ in the corner when the configuration is done

    Openwrt DDNS configuration 4
    Openwrt DDNS configuration 4

    Just in case, check the “Advanced Settings” tab and make sure it is the interface connects to Internet

    Openwrt DDNS configuration 5
    Openwrt DDNS configuration 5

    Refresh the page, the process should be running when PID is there in the “Process ID Start / Stop” column

    Openwrt DDNS configuration 5
    Openwrt DDNS configuration 5

    The Process can be started by clicking ‘Start’ button

    Openwrt DDNS configuration 5
    Openwrt DDNS configuration 5
  • Verification

    Check on the DNS system, the record will be updated to the public IP

3. Generating Cert by using ACME via DNS API

  • Find and download the script for DNS from acmesh-official/acme.sh

    For me, I downloaded dns_he.sh

  • Edit the script by adding the username/password

    Openwrt ACME 1
    Openwrt ACME 1

    Note: Don’t share your credential with others

  • Configuration on Openwrt

    • Install acme service

      root@OpenWrt:~# cd /usr/lib/acme/
      root@OpenWrt:/usr/lib/acme# ./acme.sh --install

      The output when installation is good

      [Fri Sep 17] Installing to /root/.acme.sh
      [Fri Sep 17] Installed to /root/.acme.sh/acme.sh
      [Fri Sep 17] No profile is found, you will need to go into /root/.acme.sh to use acme.sh
      [Fri Sep 17] Installing cron job
      [Fri Sep 17] OK

    • Configuration

      root@OpenWrt:~# cd /root/.acme.sh
      root@OpenWrt:~/.acme.sh# mkdir dnsapi
    • Upload the file: dns_he.sh to the new created folder: /root/.acme.sh/dnsapi

    • Certificate generation

      ./acme.sh --register-account -m ${your_email} --server letsencrypt --issue --dns dns_he -d ${your_domain_name}

      The output will be if everything works

      [Fri Sep 17] Using CA: https://acme-v02.api.letsencrypt.org/directory
      [Fri Sep 17] Creating domain key
      [Fri Sep 17] The domain key is here: /root/.acme.sh/
      [Fri Sep 17] Single domain='{__omitted__}'
      [Fri Sep 17] Getting domain auth token for each domain
      [Fri Sep 17] Getting webroot for domain='{__omitted__}'
      [Fri Sep 17] Adding txt value: ___ for domain:  _acme-challenge.{__omitted__}
      [Fri Sep 17] Using DNS-01 Hurricane Electric hook
      [Fri Sep 17] TXT record added successfully.
      [Fri Sep 17] The txt record is added: Success.
      [Fri Sep 17] Let's check each DNS record now. Sleep 20 seconds first.
      [Fri Sep 17] You can use '--dnssleep' to disable public dns checks.
      [Fri Sep 17] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
      [Fri Sep 17] Checking {__omitted__} for _acme-challenge.{__omitted__}
      [Fri Sep 17] Domain {__omitted__} '_acme-challenge.{__omitted__}' success.
      [Fri Sep 17] All success, let's return
      [Fri Sep 17] Verifying: {__omitted__}
      [Fri Sep 17] Success
      [Fri Sep 17] Removing DNS records.
      [Fri Sep 17] Removing txt: ___ for domain: _acme-challenge.{__omitted__}
      [Fri Sep 17] Cleaning up after DNS-01 Hurricane Electric hook
      [Fri Sep 17] Record removed successfully.
      [Fri Sep 17] Removed: Success
      [Fri Sep 17] Verify finished, start to sign.
      [Fri Sep 17] Lets finalize the order.
      [Fri Sep 17] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/163482020/25029386060'
      [Fri Sep 17] Downloading cert.
      [Fri Sep 17] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03f18ca7f43ee3225f7ff175c2d0ef4cd05a'
      [Fri Sep 17] Cert success.
      {Certificate key content}
      [Fri Sep 17] Your cert is in  /root/.acme.sh/{__omitted__}/{__omitted__}.cer
      [Fri Sep 17] Your cert key is in  /root/.acme.sh/{__omitted__}/{__omitted__}.key
      [Fri Sep 17] The intermediate CA cert is in  /root/.acme.sh/{__omitted__}/ca.cer
      [Fri Sep 17] And the full chain certs is there:  /root/.acme.sh/{__omitted__}/fullchain.cer

Reference


openwrt DDNS, acme commands


donation

Scan the QR code using WeChat

comments powered by Disqus