OpenWRT: LetsEncrypt certificates via Acme.sh and CloudFlare
This is more for my records, but in case it’s useful to anyone else. First, install three packages if they’re not already installed:
opkg update
opkg install acme acme-dnsapi luci-app-acme
You should now have a new menu in the navigation menu up to: Services; ACME certs
Set your email address. Delete both sample configurations. Create a new one, and start changing settings:
- Enabled: yes
- Use Staging Server: yes
- Use for uhttpd: yes
- Pick your key size, and set domain names correctly (these must be in your zone, but DNS entries for them do not have to exist).
Under “Challenge Validation”:
- Method: DNS
- DNS API: dns_cf
DNS API Credentials (as three separate entries):
CF_Token="API_TOKEN_CREATED_HERE"
CF_Account_ID="ACCOUNT_ID_HERE"
CF_Zone_ID="ZONE_ID_HERE"
You have to create the token with Zone.DNS.Edit
permissions. The two IDs you can get from the front page of your zone in the control panel.
Click save & apply, and after about a minute if you check the system you should see a successful attempt, and probably have gotten a certificate warning because of unknown issuer - the luci app will apply the cert even though the staging server signed it.
If that happens, just go back and uncheck “Use staging server” and click save & apply, and you should get a certificate.
If it fails, the system log should have enough info as to why, for example I had an error Can not find dns api hook for: dns_cf
- that was because I did not have the acme-dnsapi
package installed.
It should now automatically renew at 60 days.