using my own ssl certificate in tomato

Discussion in 'Tomato Firmware' started by nxmehta, Oct 30, 2008.

  1. nxmehta

    nxmehta LI Guru Member

    I have an ssl certificate that is signed by my internal certificate authority for my intranet, and i want to use this cert in tomato. However, I can't figure out how to get this to work. I've overwritten the /etc/cert.pem and /etc/key.pem files but the new files are not recognized.

    I'm guessing that I have to write the certificates to nvram? I'm a little nervous messing around with the nvram... can anyone tell me what I should do or what commands I need to run here?
  2. rhester72

    rhester72 Network Guru Member

    Make sure you restart the httpd process after you replace the certs.

  3. nxmehta

    nxmehta LI Guru Member

    How do I do that? I'm used to using apache2ctl and there doesn't seem to be manpages installed on tomato.
  4. fyellin

    fyellin LI Guru Member

  5. marlll

    marlll Guest

  6. nxmehta

    nxmehta LI Guru Member

    Ok, I see that I have to write the cert to the nvram. The command in that post is reading from nvram. What is the command that I need to run to write to the nvram? What's the syntax for nvram writing? Does it take input from stdin or from a file? Do I write just the public key to https_crt? If so, where does the private key get written?

    Thanks for any help.
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    nvram set https_crt_file="<paste certificate here>"
  8. nxmehta

    nxmehta LI Guru Member

    Thanks for the command! I'm still having problems with this though. I set the https_crt_file (tricky to paste in the cert as there's a character limit for a busybox prompt- had to use lots of \'s), ran 'nvram commit' and upon rebooting the router the https_crt_file value remains unchanged. https_crt_save is set to 1, so it should be reading the cert from the nvram. It's definitely saving it in the nvram, as I can't seem to overwrite it?

    Did I miss something else I need to do?

    Also, I've noticed that I can't tell what format the https_crt_file value is in. I ran 'openssl x509 -text -noout -in <cert>' and openssl can't parse the cert that tomato stores in https_crt_file. Furthermore, https_crt_file looks different than /etc/cert.pem (is that a CA cert instead?)

    Any advice?
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sorry, I forgot to mention you also have to run
    nvram commit
    to make it survive a reboot.

    Now, I've never used this nvram variable before, but from the source code, it looks like it is a base64 encoded tarball that consists of the cert.pem and key.pem.

    I think you can just put the files in place (in /etc/) and run
    service admin restart
    to get the router to pack them up and put them in nvram for you (just be sure you have "Save in NVRAM" checked and "Regenerate" unchecked in the Web GUI. Note that I've haven't tried this and I'm just going off browsing the source.
  10. nxmehta

    nxmehta LI Guru Member

    Ok, so I tried putting the cert in /etc/ and running service admin restart, but no luck in getting the cert written to nvram. "Regenerate" was unchecked and "Save in NVRAM" was checked.

    You are correct in saying that https_crt_file is a base 64 encoded (and gzip'd as it turns out) tarball- I was able to decode, unzip and unpack the field stored in the router. So I took my custom cert, tar xvfz'd it and ran it through base64. I wrote it to the https_crt_file field, ran nvram commit, and tried to log into the router through https. Everything worked great, it picked up the certificate fine.

    However, upon reboot the cert was overwritten with the old cert! I'm not sure why this is happening. I ran nvram commit, and in the web interface "Regenerate" is unchecked and "Save in NVRAM" is checked. Anything else I'm missing?

    Maybe I should also take a look at the source...

    Thanks again btw, your information has been very helpful.
  11. nxmehta

    nxmehta LI Guru Member

    Hmmm, looking at the source I can't figure out why it would be failing to pick up my cert. I see the message "Generating SSL certificate" in my syslog which means that at least one of /etc/cert.pem or /etc/key.pem don't exist, but somehow the process of reading back my written value in the nvram and uncompressing is failing.

    I do however see that the way new certs are generating is through /sbin/, so I could probably just modify that script to copy over my own cert. Looks easy- I'll let you know how it goes ;)
  12. nxmehta

    nxmehta LI Guru Member

    Um, nevermind, I forgot we have a read only filesystem here! This is not going to work.
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, we're making progress at least.

    When you say it was replaced with the old cert, are you certain it was the old cert? Or was it just a different cert (could it be a new one)?

    If it was the old one, we know it is still being stored somewhere. You may try
    nvram show | grep https
    nvram show | grep crt
    to see if it is being stored in another nvram variable.

    If it was a new one, it could be there is a bug in the firmware that doesn't honor the nvram cert on a reboot. It seems I remember that for the short while I used https for remote adminstration, I had to teach my browser a new cert every reboot. I could be remembering wrong, though. If this is the case (if you confirm it), I'll try to see if I can find the bug so it can be fixed.
  14. nxmehta

    nxmehta LI Guru Member

    OK! I figured it out. First, to clear something up, I was mistaken in saying that tomato was replacing my cert with an old cert- it was actually generating a new cert.

    The reason that it wasn't accepting my cert and generating a new one was that my cert was too long. After processing my cert/key files with tar, gzip -9 and base64 my cert was around ~2400 characters long. It looks like the function nvram_get_file (declared in misc.c, called in httpd.c) has a buffer limit of 2048 characters. Since my cert was too long nvram_get_file would fail and a new cert would be generated.

    I fixed this by generating a 512 bit certificate rather than a 1024 bit one. 1024 bit is a standard length for a cert, so if tomato wanted to support that it would have to change the limit from 2048 to something higher. It might have implications for other bits of code though, I dunno. I'm only the messenger :)
  15. mrap

    mrap LI Guru Member

    Looks like this may be a bug and is still present in 1.23

    I notice that even though I have regenerate unchecked, and save in NVRAM checked, Tomato always creates a new certificate upon restart/reboot:
    Jun 2 21:06:11 MyTomR httpd[699]: Generating SSL certificate...

    Very annoying in Firefox because I have to keep accepting and adding and saving the new certificates :frown:
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice