This guide assumes that you already have a domain pointing to your router and that it’s IP is updated when the IP of your router changes.
Connect to the router
For any of these steps, you need to ssh to your router:
The following command will install
acme.sh (a Let’s Encrypt client) in
The install script automatically creates a cronjob for it.
Adjust the email address to receive emails should a certificate expire.
EMAILemail@example.com cd /root curl https://get.acme.sh | sh ./.acme.sh/acme.sh --accountemail "$EMAIL" --update-account
We’re going to use
acme.sh in webroot mode.
Therefore we must slightly extend lighttpd’s config.
echo 'alias.url += ( "/.well-known/acme-challenge/" => "/www/letsencrypt/.well-known/acme-challenge/")' \ > /etc/lighttpd/conf.d/letsencrypt.conf mkdir -p /www/letsencrypt/.well-known/acme-challenge/
Configure the Firewall
This adds a rule which is disabled by default. When enabled, the rule allows traffic to port 80 on your router. Every time a certificate is renewed, this rule will be temporarily enabled. It will automatically get disabled after the certificate was renewed.
uci set firewall.letsencrypt=rule uci set firewall.letsencrypt.target=ACCEPT uci set firewall.letsencrypt.src=wan uci set firewall.letsencrypt.proto=tcp uci set firewall.letsencrypt.dest_port=80 uci set firewall.letsencrypt.name='allow http on wan' uci set firewall.letsencrypt.enabled=0 uci commit firewall /etc/init.d/firewall reload
Note: Make sure, that traffic from
wan zone to the
input chain is allowed!
Issue the First Certificate
DOMAIN=your.domain /root/.acme.sh/acme.sh \ --issue \ -d "$DOMAIN" \ -w /www/letsencrypt/ \ --pre-hook "uci set firewall.letsencrypt.enabled=1; uci commit firewall; /etc/init.d/firewall reload" \ --post-hook "uci set firewall.letsencrypt.enabled=0; uci commit firewall; /etc/init.d/firewall reload" \ --reloadcmd "cat /root/.acme.sh/$DOMAIN/$DOMAIN.cer /root/.acme.sh/$DOMAIN/$DOMAIN.key > /etc/lighttpd-self-signed.pem; /etc/init.d/lighttpd restart"
acme.sh will automatically renew the certificate after it’s issued for the first time.