This is more informational than anything else. I have a RB5009UG router and a hAP-ac3, both on firmware 7.18.2. Both have IP Service TCP 80 disabled. I tried to log into the ac3 this morning and couldn’t. I was connecting with https and once you entered the username and password, you’d get the warning that the page isn’t secure and in Chrome you get an option to ignore it. Once I did that then the GUI would loop you right back around to the login page again, effectively locking you out from signing in. So I tried my RB5009 and the exact same thing happened. No matter how many times I signed in, it would always loop me right back to the sign in page. I later found that both devices had the Let’s Encrypt SSL cert expired. Once I renewed it, it worked fine using https.
To get back in, I had to SSH in and set “/ip/service> enable 2” to enable the http protocol to sign in, and that worked fine to renew the cert. I was just thinking that if I had SSH disabled also and I was remote, that would have been a drive.
Is there any plan to add automatic Let’s Encrypt renewal to the GUI?
Thanks!
The service on port 80 must be active for automatic renewal, as written in the guide, in 7.18.2.
(for 7.17x and 7.19 there is also renewal via DNS verification)
There is no practical reason why if you expose port 443 to the world, you cannot also leave 80 open.
Absolutely nothing changes from a security standpoint for others.
What changes is just one of the many possibilities that there are for a MITM attack to occur when YOU use webfig.
I don’t expose 80 or 443 to the world unless it is temporary. I have a firewall rule at the top that says to allow anything from my office IP’s only.
I understand that TCP port 80 needs to be enabled to renew the SSL cert. The script I have will temporarily open 80, renew the cert, and then close 80 again. The issue here is that I couldn’t log into the GUI at all, even after telling my Chrome browser to ignore the SSL cert error.
So the certificate is self-renewing or not?
The new one does not apply to the www-ssl service?
Have you tried with any browser?
The certificate renewed fine once I got logged in. The issue was with service port 80 disabled, and with the expired certificate, the https logon screen would loop when you signed in. You’d enter your username and password, and the GUI looked like it was going to load fine and then it would present the username and password field over again even though you just signed in. You’d enter the correct username and password field again, and it would just bring you right back to the logon page again.
Ok, I’ll give up before I answer badly.
Of three questions, you didn’t answer one.
Hi! Thank you for the reply.
Again, the cert renewed fine once I got logged in and ran the script.
The new SSL cert did get applied correctly to the www-ssl service.
No, I didn’t try a different browser. It never acted that way previously.
This post is not about renewing the ssl cert. It’s about how the GUI loops you back to the login page after you successfully log in when the ssl cert is expired. I’m just posting my findings.