OpenWRT: LetsEncrypt certificates via Acme.sh and CloudFlare

This is more for my records, but in case it’s useful to anyone else. First, install three packages if they’re not already installed:

opkg update
opkg install acme acme-dnsapi luci-app-acme

You should now have a new menu in the navigation menu up to: Services; ACME certs

Set your email address. Delete both sample configurations. Create a new one, and start changing settings:

Enabled: yes
Use Staging Server: yes
Use for uhttpd: yes
Pick your key size, and set domain names correctly (these must be in your zone, but DNS entries for them do not have to exist).

Under “Challenge Validation”:

Method: DNS
DNS API: dns_cf

DNS API Credentials (as three separate entries):

CF_Token="API_TOKEN_CREATED_HERE"
CF_Account_ID="ACCOUNT_ID_HERE"
CF_Zone_ID="ZONE_ID_HERE"

You have to create the token with Zone.DNS.Edit permissions. The two IDs you can get from the front page of your zone in the control panel.

Click save & apply, and after about a minute if you check the system you should see a successful attempt, and probably have gotten a certificate warning because of unknown issuer - the luci app will apply the cert even though the staging server signed it.

If that happens, just go back and uncheck “Use staging server” and click save & apply, and you should get a certificate.

If it fails, the system log should have enough info as to why, for example I had an error Can not find dns api hook for: dns_cf - that was because I did not have the acme-dnsapi package installed.

It should now automatically renew at 60 days.

Author:

fwaggle

Published:

2022-05-16T19:59:00+1000

Modified:

2022-05-16T20:09:37+1000