This post documents a fix for an Asus router issue where uploading a new SSL certificate results in an unknown or processing status
Intro
This is an issue I’ve ran into today while trying to renew the certificate that I use for my DDNS/VPN configuration.
Using your own certificate on Asus has always been, at lest in my experience, a somewhat finicky process, with the upload requiring multiple attempts, restarts, switching between options, etc.
But this time it seems like nothing that worked before is able to fix the issue, and I’ve also had no luck Googling for a solution.
My setup
Router – RT-AX86U Pro
Firmware – Asuswrt-Merlin 3004.388.7
Behavior
So, my current certificate is about to expire tomorrow, and I want to upload a new certificate to replace this one.
I’m not using Let’s Encrypt or anything else because:
- I just need it for the DDNS and VPN configuration I have on my router. This also means that it doesn’t matter if it’s provided by a CA or not.
- I want to reduce the number of things that can go wrong. And the Let’s Encrypt cert renewal process on Asus routers sometimes tends to fail – if this happens while I’m away from home I’m not going to be happy.
Before doing anything, I export the current certificate and key, and take a backup of the current configuration and, more importantly, of the router’s JFFS partition.
Backups can be be done from Advanced Settings > Administration > Restore/Save/Upload Settings
Note: I recommend that everyone takes periodic backup of their routers configurations, and also backup before changing or upgrading the firmware.
Now, I try to upload the new cert.pem and key.pem files.
I do this using the Upload button found in Advanced Settings > WAN > DDNS.
And provide the 2 files when prompted.
I click OK to close the Import window and then Apply.
The first symptom is that the main page goes into a refresh loop that causes the browser to constantly prompt to either resend the info or cancel the reload.
When I press Cancel, the DDNS page returns, but the status of the server’s certificate is “Unknown or processing…”.
Logging out and back in doesn’t change anything, and rebooting the router switches the SSL configuration to Auto.
Digging into the backups
Since the GUI enters that refresh loop, I’m suspecting that the issue is with the upload process itself.
So, I started looking into the configuration and JFFS partition backups.
Since the configuration backup is encoded on Asus routers, I use this Bash script with a small modification to save the decoded config file.
Since none of the SSL related info was in the config, I turn my attention to the JFFS partition backup.
I use 7-zip to extract the .tar backup of the router’s JFFS partition, and start looking through the resulting files.
There I find a .cert folder containing the cert.pem and key.pem file whose contents match the previously exported cert and key files.
This is promising. It means that they’re stored in the JFFS partition and I can update them directly.
I then connect to the router via SSH to see if I can find those files in the /jffs/.cert/
directory.
Unfortunately, this isn’t the case, although the the same sshd_* files are present in that location as the ones in my backup.
The fix
So, how can I upload the new certificate and key if I can’t do it via the GUI nor via SSH?
Asus doesn’t have any means of checking if the JFFS partition backup wasn’t modified in any way.
There’s no internal table with the x most recent backups and their hashes to validate their integrity.
This means that I should be able to force the new certificate into the router, by replacing the contents of the one in the backup .tar file.
Before proceeding, I make a backup copy of the backup file. Yes, a backup of a backup, because it doesn’t hurt to be paranoid when it comes to backups.
I then open the .tar archive with 7-Zip. Note, I said open, not extract.
And navigate to the .cert directory
Then, I edit the cert.pem and key.pem files via right click > edit.
And replace their contents with the contents of the new certificate and key.
When 7-Zip prompts me about updating the archive, I click Ok.
I then close 7-Zip and go through the process of restoring the JFFS backup.
When prompted to browser for the backup file, I provide the one I’ve just modified and then click Upload.
Then, I go to Advanced Settings > System Log and verify that the following message appears:
May 18 18:08:24 httpd: JFFS restore completed
May 18 18:08:26 rc_service: service 20121:notify_rc restart_firewall
I log out and log back in, and then I navigate to DDNS.
At the moment, the router still shows the Auto SSL configuration.
I select “Import Your Own Certificate“, click Apply and then Cancel in Firefox’s resend prompt.
And, now the certificate info is updated, and I can see the new expiration date.
After this, I reboot the router to be sure everything is in order and take another backup of the JFFS partition.
Conclusion
This isn’t my usual SQL Server server stuff, but I figured anyone else running into this Asus router issue where the SSL certificate status ends up being “unknown or processing” might appreciate some help.