So I’ve got a new domain I want to use for all my local network stuff. I’ve used XCA to manage my own CA and got fed up by managing certs. Now I want to use Let’s encrypt certificates with DNS validation, using the API provided by Ionos for managing DNS entries. My OpenWRT router should get its own certificate.
Connect to your OpenWRT and install these packages:
opkg update opkg install acme acme-dnsapi luci-app-acme luci-i18n-acme-en
Create Ionos API credentials
See this documentation on how to create a new API key. I’ve created additonally a subdomain
local which I’ll be using for all my local network stuff. I assume you’ll need to have the subdomain already configured in Ionos before you’ll request any certificates for subdomains.
Configure ACME on OpenWRT
Open the LuCi UI of your OpenWRT installation. This is normally under Services, ACME certs. Keep the State directory to
/etc/acme and add an account email that receives any messages from Let’s encrypt.
General Settings tab
Add a new certificate. In the following Popup configure the domain names under which your machine should be reachable with a valid cert.
Set Key size to
ECC 384 bits.
Use for uhttpd, so that LuCi will use the certificate automatically.
Challende Validation tab
Select Validation method
DNS. This will offer you more options specifically for the validation via DNS entries and APIs. The DNS API for Ionos is
Now we’ll add the Ionos API credentials we’ve configured earlier. Use for PREFIX and SECRET to separate entries in this format
IONOS_PREFIX=<your value> and
IONOS_SECRET=<your value>. Click on
+ for each entry to add new the variable.
We don’t need Challenge Alias or Domain Alias, since we’re using a DNS API.
Testing if everything works
Click now on
Save to close the popup. Click on
Save & Apply and let’s see if everything is working as expected. Go to
System Log and check any acme related entries. You should see something like this:
Thu Oct 12 23:13:55 2023 daemon.info acme: Using dns mode Thu Oct 12 23:13:55 2023 daemon.err run-acme: acme: Using dns mode ... Thu Oct 12 23:14:03 2023 daemon.info run-acme: The txt record is added: Success. ... Thu Oct 12 23:14:24 2023 daemon.info run-acme: Pending, The CA is processing your order, please just wait. (1/30) Thu Oct 12 23:14:27 2023 daemon.info run-acme: Success Thu Oct 12 23:14:27 2023 daemon.info run-acme: Removing DNS records. ... Thu Oct 12 23:14:31 2023 daemon.info run-acme: Cert success. Thu Oct 12 23:14:31 2023 daemon.info run-acme: -----BEGIN CERTIFICATE----- ...
This looks promosing. Reload your browser Window and it should show the right certificate being used and signed by Let’s encrypt.
Wow, this was quick and painless. ACME was able to communicate with Ionos and set up all necessary DNS entries for validatoin. I’m a happy Let’s encrypt certificate user now. Only downside of this approach is, that I cannot create an ASN for the OpenWRT internal IP, but that’s ok.