GL.iNet router config

The configuration here is done within the OpenWRT (LuCI) part of GL.iNet routers.

DynDNS with OVH domain

By default, GL.iNet routers use a .glddns.com address, which is fine, but if you want to use your own DynDNS provider, here the steps (this will break DDNS from the GL.iNet interface).

Using LuCI, uninstall gl-sdk4-ddns, you can also uninstall ddns-scripts, ddns-scripts-services & luci-app-ddns (not strictly necessary, but allows for a clean sheet).

Then update the package list and re-install luci-app-ddns, ddns-scripts & ddns-scripts-services.

Then the OpenWRT interface will be available, using OVH here are the settings to set :

  • Lookup hostname : ddns.example.com
  • DDNS Service provider : ovh.com
  • Domain : ddns.example.com
  • Username : ovh-ddns-username
  • Password : ovh-ddns-password

In the Advanced settings tab you can set the source of the IP, in my case, as it's the WAN IP there's nothing to change.

All set, you can enable and save.

DNS-challenge with OVH domain

Using LuCI, install acme, acme-dnsapi and luci-app-acme.

Create the API keys for OVH , replacing mydomain.com by the domain you are targeting. Note : These are slightly different that the ones that Certbot uses. I have no idea why, but when you use the ones from Certbot, the challenge fails.

In the interface, go to the Challenge validation tab and fill it as such :

  • Validation method : DNS
  • DNS API : dns_ovh
  • DNS API credentials : Create the 3 keys, with the ' on both side, as such
    • OVH_AK='OVH_APPLICATION_KEY'
    • OVH_AS='OVH_APPLICATION_SECRET'
    • OVH_CK='OVH_CUSTOMER_KEY'

You can also set OVH_END_POINT, if not using ovh-eu (default value).

If there was issue, you can check the logs using logread -e acme using SSH.

Adding support for the GL.iNet webinterface

You have your certificate, it is stored in /etc/acme (or whichever folder you've set).

Edit the GL.iNet nginx config file /etc/nginx/conf.d/gl.conf and change the 2 following lines :

ssl_certificate /etc/nginx/nginx.cer;
ssl_certificate_key /etc/nginx/nginx.key;

by

ssl_certificate /etc/acme/mydomain.com_ecc/fullchain.cer;
ssl_certificate_key /etc/acme/mydomain.com_ecc/mydomain.com.key;

note : the _ecc depends on the kind of key you've requested, it's only there if you are using ECC keys, not for RSA.

Persist changes after firmware upgrade

Append /etc/sysupgrade.conf with the following lines :

/etc/acme/
/etc/nginx/conf.d/gl.conf