Configuring SSL Certificates Using acme.sh on OpenWRT

前言

OpenWRT 自带的 luci-app-acme 非常难用，而且找不到官方文档（luci很多插件都这样一坨,比如tinyproxy也是年久失修。。）所以我选择官方原版acmesh。

如有需要可以参照官方README

安装 acme.sh

wget -O -  https://get.acme.sh | sh -s email=my@example.com
cd ~/.acme.sh
./acme.sh --upgrade --auto-upgrade

配置 DNS API 密钥

编辑 ~/.acme.sh/account.conf 文件，添加以下内容：

由于我使用的是cloudflare的dns，如果你是其他的，请参照官方。

export CF_Zone_ID="aaaaaaaaaaa"
export CF_Token="aaaaaaaa"

申请证书

使用以下命令通过 Cloudflare 的 DNS 验证方式申请证书：

./acme.sh --issue --dns dns_cf -d admin.tokisaki.top -d '*.example.com' # dns方式可以申请通配符证书

查看证书列表

可以使用以下命令查看已申请的证书：

./acme.sh --list

安装证书

将申请到的证书安装到指定位置，并重启 uhttpd 服务：

./acme.sh --install-cert -d admin.tokisaki.top \
--key-file /etc/uhttpd.key \
--fullchain-file /etc/uhttpd.crt \
--reloadcmd '/etc/init.d/uhttpd restart'

验证安装是否有效

使用以下命令强制续期证书：

./acme.sh --renew -d admin.tokisaki.top --force

如果安装成功，输出如下：

.......
[Mon Feb  3 16:14:16 CST 2025] Your cert is in: /root/.acme.sh/admin.tokisaki.top_ecc/admin.tokisaki.top.cer
[Mon Feb  3 16:14:16 CST 2025] Your cert key is in: /root/.acme.sh/admin.tokisaki.top_ecc/admin.tokisaki.top.key
[Mon Feb  3 16:14:16 CST 2025] The intermediate CA cert is in: /root/.acme.sh/admin.tokisaki.top_ecc/ca.cer
[Mon Feb  3 16:14:16 CST 2025] And the full-chain cert is in: /root/.acme.sh/admin.tokisaki.top_ecc/fullchain.cer
[Mon Feb  3 16:14:17 CST 2025] Installing key to: /etc/uhttpd.key
[Mon Feb  3 16:14:17 CST 2025] Installing full chain to: /etc/uhttpd.crt
[Mon Feb  3 16:14:17 CST 2025] Running reload cmd: /etc/init.d/uhttpd restart
[Mon Feb  3 16:14:17 CST 2025] Reload successful

Preface

The luci-app-acme package included with OpenWRT is quite difficult to use, and there is no official documentation to be found (many LuCI plugins are in such a poor state; for example, tinyproxy is also long unmaintained…). Therefore, I chose to use the official original acme.sh.

Refer to the official README if needed

Installing acme.sh

wget -O -  https://get.acme.sh | sh -s email=my@example.com
cd ~/.acme.sh
./acme.sh --upgrade --auto-upgrade

Configuring DNS API Keys

Edit the ~/.acme.sh/account.conf file and add the following content:

Since I use Cloudflare’s DNS, if you use a different provider, please refer to the official documentation.

export CF_Zone_ID="aaaaaaaaaaa"
export CF_Token="aaaaaaaa"

Requesting Certificates

Use the following command to request certificates via Cloudflare DNS validation:

./acme.sh --issue --dns dns_cf -d admin.tokisaki.top -d '*.example.com' # DNS method can request wildcard certificates

Viewing Certificate List

You can use the following command to view the certificates that have been requested:

./acme.sh --list

Installing Certificates

Install the requested certificate to the specified location and restart the uhttpd service:

./acme.sh --install-cert -d admin.tokisaki.top \
--key-file /etc/uhttpd.key \
--fullchain-file /etc/uhttpd.crt \
--reloadcmd '/etc/init.d/uhttpd restart'

Verifying Installation Effectiveness

Use the following command to force a certificate renewal:

./acme.sh --renew -d admin.tokisaki.top --force

If the installation is successful, the output will be as follows:

.......
[Mon Feb  3 16:14:16 CST 2025] Your cert is in: /root/.acme.sh/admin.tokisaki.top_ecc/admin.tokisaki.top.cer
[Mon Feb  3 16:14:16 CST 2025] Your cert key is in: /root/.acme.sh/admin.tokisaki.top_ecc/admin.tokisaki.top.key
[Mon Feb  3 16:14:16 CST 2025] The intermediate CA cert is in: /root/.acme.sh/admin.tokisaki.top_ecc/ca.cer
[Mon Feb  3 16:14:16 CST 2025] And the full-chain cert is in: /root/.acme.sh/admin.tokisaki.top_ecc/fullchain.cer
[Mon Feb  3 16:14:17 CST 2025] Installing key to: /etc/uhttpd.key
[Mon Feb  3 16:14:17 CST 2025] Installing full chain to: /etc/uhttpd.crt
[Mon Feb  3 16:14:17 CST 2025] Running reload cmd: /etc/init.d/uhttpd restart
[Mon Feb  3 16:14:17 CST 2025] Reload successful