Home » Fix Asus router SSL certificate unknown or processing

Fix Asus router SSL certificate unknown or processing

by Vlad Drumea
0 comment

This post documents a fix for an Asus router issue where uploading a new SSL certificate results in an unknown or processing status

Intro

This is an issue I’ve ran into today while trying to renew the certificate that I use for my DDNS/VPN configuration.

Using your own certificate on Asus has always been, at lest in my experience, a somewhat finicky process, with the upload requiring multiple attempts, restarts, switching between options, etc.

But this time it seems like nothing that worked before is able to fix the issue, and I’ve also had no luck Googling for a solution.

My setup

Router – RT-AX86U Pro

Firmware – Asuswrt-Merlin 3004.388.7

Behavior

So, my current certificate is about to expire tomorrow, and I want to upload a new certificate to replace this one.

The router's DDNS menu section showing that the current certificate is Active and expires on 2024/5/19

I’m not using Let’s Encrypt or anything else because:

  1. I just need it for the DDNS and VPN configuration I have on my router. This also means that it doesn’t matter if it’s provided by a CA or not.
  2. I want to reduce the number of things that can go wrong. And the Let’s Encrypt cert renewal process on Asus routers sometimes tends to fail – if this happens while I’m away from home I’m not going to be happy.

Before doing anything, I export the current certificate and key, and take a backup of the current configuration and, more importantly, of the router’s JFFS partition.

Backups can be be done from Advanced Settings > Administration > Restore/Save/Upload Settings

Restore/Save/Upload Settings menu With the "Save Settings" button marked and the Save button in the 'Backup JFFS partition" also marked. SEO Asus router SSL certificate Unknown Processing

Note: I recommend that everyone takes periodic backup of their routers configurations, and also backup before changing or upgrading the firmware.

Now, I try to upload the new cert.pem and key.pem files.

I do this using the Upload button found in Advanced Settings > WAN > DDNS.

Section: HTTPS/SSL Certificate Option selected: Import your own certificate Button: Upload (marked) SEO Asus router SSL certificate Unknown Processing

And provide the 2 files when prompted.

Import Your Own Certificate Upload a certificate issued by a certificate authority here. Your private key and SSL certificate are necessary. Private Key : SSL Certificate : * Private keys cannot be passphrase protected. Buttons: Cancel, OK (marked) SEO Asus router SSL certificate Unknown Processing

I click OK to close the Import window and then Apply.

The first symptom is that the main page goes into a refresh loop that causes the browser to constantly prompt to either resend the info or cancel the reload.

Firefox prompt Title: Confirm Contents: To display this page, Firefox must send information that will repeat any action (such as a search or order confirmation) that was performed earlier Buttons: Resend, Cancel SEO Asus router SSL certificate Unknown Processing

When I press Cancel, the DDNS page returns, but the status of the server’s certificate is “Unknown or processing…”.

The router's DDNS menu section showing that the current certificate is in an Unknown or processing state SEO Asus router SSL certificate Unknown Processing

Logging out and back in doesn’t change anything, and rebooting the router switches the SSL configuration to Auto.

HTTPS/SSL Certificate Auto Root Certificate/Intermediate Certificate Issued to : RT-AC86U-4440 Root Certificate 20180505080520 Issued by : RT-AC86U-4440 Root Certificate 20180505080520 Expires on : 2038/5/6 Server Certificate Status : Active Issued to : RT-AC86U-4440 Server Certificate Issued by : RT-AC86U-4440 Root Certificate 20180505080520 Expires on : 2044/5/19 SEO Asus router SSL certificate Unknown Processing

Digging into the backups

Since the GUI enters that refresh loop, I’m suspecting that the issue is with the upload process itself.
So, I started looking into the configuration and JFFS partition backups.

Since the configuration backup is encoded on Asus routers, I use this Bash script with a small modification to save the decoded config file.

Since none of the SSL related info was in the config, I turn my attention to the JFFS partition backup.

I use 7-zip to extract the .tar backup of the router’s JFFS partition, and start looking through the resulting files.
There I find a .cert folder containing the cert.pem and key.pem file whose contents match the previously exported cert and key files.

Screenshot of Windows File Explorer showing the following files in the .cert directory cert.pem, hey.pem, sshd_dsskey, sshd_ecdsakey, sshd_hostkey, sshd_ed25519key

This is promising. It means that they’re stored in the JFFS partition and I can update them directly.

I then connect to the router via SSH to see if I can find those files in the /jffs/.cert/ directory.

PowerShell window: ASUSWRT-Merlin RT-AX86U_PRO 3004.388.7_0 Fri Apr 26 18:22:46 UTC 2024 vlad@RT-AC86U-4440:/tmp/home/root# cd /jffs/.cert/ vlad@RT-AC86U-4440:/jffs/.cert# ls -alth drw------- 2 vlad root 448 May 18 15:36 . -rw------- 1 vlad root 459 Apr 8 2020 sshd_dsskey -rw------- 1 vlad root 140 Apr 8 2020 sshd_ecdsakey -rw------- 1 vlad root 805 Apr 8 2020 sshd_hostkey drwxr-xr-x 14 vlad root 2.0K May 5 2018 .. -rw------- 1 vlad root 83 May 5 2018 sshd_ed25519key

Unfortunately, this isn’t the case, although the the same sshd_* files are present in that location as the ones in my backup.

The fix

So, how can I upload the new certificate and key if I can’t do it via the GUI nor via SSH?

The secret ingredient is crime.

Asus doesn’t have any means of checking if the JFFS partition backup wasn’t modified in any way.
There’s no internal table with the x most recent backups and their hashes to validate their integrity.

This means that I should be able to force the new certificate into the router, by replacing the contents of the one in the backup .tar file.

Before proceeding, I make a backup copy of the backup file. Yes, a backup of a backup, because it doesn’t hurt to be paranoid when it comes to backups.

I then open the .tar archive with 7-Zip. Note, I said open, not extract.
And navigate to the .cert directory

Screenshot of 7-Zip showing the .cert folder and its contents in the .tar archive

Then, I edit the cert.pem and key.pem files via right click > edit.
And replace their contents with the contents of the new certificate and key.

When 7-Zip prompts me about updating the archive, I click Ok.

Title: 7-Zip File 'cert.pem' was modified. Do you want to update it in the archive? Buttons: Ok (selected) Cancel

I then close 7-Zip and go through the process of restoring the JFFS backup.
When prompted to browser for the backup file, I provide the one I’ve just modified and then click Upload.

Title JFFS Partition Section: Backup JFFS partition Button: Save Section: Restore JFFS partition Button: Upload Button: Browse File selected: 20240518_PreCertChange_backup_jffs.tar

Then, I go to Advanced Settings > System Log and verify that the following message appears:

May 18 18:08:24 httpd: JFFS restore completed
May 18 18:08:26 rc_service: service 20121:notify_rc restart_firewall

I log out and log back in, and then I navigate to DDNS.
At the moment, the router still shows the Auto SSL configuration.

I select “Import Your Own Certificate“, click Apply and then Cancel in Firefox’s resend prompt.
And, now the certificate info is updated, and I can see the new expiration date.

Server Certificate Status : Active Issued to : [redacted] Issued by : [redacted] Expires on : 2025/5/18

After this, I reboot the router to be sure everything is in order and take another backup of the JFFS partition.

Conclusion

This isn’t my usual SQL Server server stuff, but I figured anyone else running into this Asus router issue where the SSL certificate status ends up being “unknown or processing” might appreciate some help.

You may also like

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.