Introduction
My Uptime-Kuma notified me about expiring certificates on my OpenWRT router. Since that certificate is also used by my AdGuard Home installation, I knew trouble was waiting for me just around the corner. Something blocked the cert renewal. Either I’ll fix this now or I’ll be sitting in a few days without working DNS and insecured OpenWRT ui.
Analyzing the problem
Acme on OpenWRT isn’t run as a regular service. That’s why its marked as stopped in the startup selection. It is executed as part of a cronjob/Scheduled Task like this:
# Check LetsEncrypt Certificate renewal at midnight
0 0 * * * /etc/init.d/acme start
I’ve checked the syslog and found only this error:
ERROR USER root pid 5285 cmd /etc/init.d/acme start
So I’ve tried to run it manually via SSH by running /etc/init.d/acme start
, but only got an error around the variable key_type
. This variable is a new variable, introduced with acme 4.0. However, when I’ve checked my luci config file in /etc/config/acme
and it had this configured option keylength 'ec-384'
. This is the old value and somehow the luci configuration did not have the newest configuration format stored.
Fixing the problem
I’ve searched for the error message and found some interesting issues from 2024 regarding acme, lets encrypt and problems with OpenWRT. So I’ve tried to update everything first to the latest available version, but I’m seeing no other updates:
The OpenWRT wiki mentioned an acme-common
package in version 1.4 from May 2024, which I’m clearly not able to install. The sourcecode for the package mentions version 1.4 already, but I’m stuck on 1.0.4
.
The OpenWRT forum had a good hint. In version 1.4.0
a few lines changed so that any old format config file can be read and translated in the right new format. The only thing I’ve had to change was this part in file /etc/init.d/acme
. If I execute the command now, it will succeed and the certificate is extended.
Conclusion
There seems to be a new package to be waiting, but it isn’t part yet of the stable version. I’ll hope this will be fixed soon and I can stop relying on this workaround.