Pushing valid SSL certificates to OpenWRT router

If you’re running a homelab, at some point you’ll want your services to use valid SSL certificates. Once you reach that stage, you’ll likely run into challenges around how to manage those certificates and deploy them across all of your services.

For example, in my setup, I run several virtual machines and containers on a Proxmox instance. I also have OpenWRT routers where I want SSL certificates deployed and properly managed. While I’m still exploring the best long-term certificate management solution, I’ve been using Nginx Proxy Manager (NPM) to handle certificate issuance and renewal.

However, NPM has its limitations, for instance in my setup it only manages certificates for services running on the same Docker network as the NPM instance itself. That leaves other services—like those running in different VMs or on networked devices such as my OpenWRT routers—without automatically updated certificates.

To bridge that gap, I created a simple bash script that checks whether a certificate has been recently renewed and, if so, pushes it to other services using scp.

In this post, I’ll walk you through how I use this method to deploy a renewed certificate to my OpenWRT router.

Prerequisites

First, make sure you can access your OpenWRT router via SSH. The sshd service should be enabled and configured properly. You’ll also need:

SSH access to the OpenWRT device
Public key authentication (recommended for automation). You can set it up using: ssh-copy-id root@openwrt

Uhttpd Configuration

OpenWRT’s graphical interface, LuCI, uses the uhttpd web server. The paths to the certificate files are specified in the /etc/config/uhttpd file:

config uhttpd 'main'
    option cert '/etc/uhttpd.crt'
    option key '/etc/uhttpd.key'

uhttpd can also read fullchain.pem and privkey.pem files, so the first step is to upload them to the router.

There are several ways to do this, but the easiest is using scp or rsync:

scp /path/to/fullchain.pem root@openwrt:/etc/fullchain.pem
scp /path/to/privkey.pem root@openwrt:/etc/privkey.pem

Next, modify the configuration file by updating the certificate paths. You can either comment out or remove the lines pointing to uhttpd’s default certificates:

config uhttpd 'main'
    option cert '/etc/fullchain.pem'
    option key '/etc/privkey.pem'
    #option cert '/etc/uhttpd.crt'
    #option key '/etc/uhttpd.key'

After modifying the config file, the final step is to restart the uhttpd server:

/etc/init.d/uhttpd restart

Automation

Finally, to update the certificates automatically when they change, I added the following lines to my automation Bash script, which I run from crontab:

scp /path/to/fullchain.pem root@openwrt:/etc/fullchain.pem
scp /path/to/privkey.pem root@openwrt:/etc/privkey.pem
ssh root@openwrt '/etc/init.d/uhttpd restart'

I’m sure there are more robust ways to manage certificates on OpenWRT, but this approach works well in a homelab setup.

Prerequisites#

Uhttpd Configuration#

Automation#

Prerequisites

Uhttpd Configuration

Automation