Allowing SSL in wget on OpenWrt/LEDE
Posted April 4, 2018
Last updated October 23, 2021 | b36809d
4 minute read
Why? 🔗
For the post regarding blocking ads in OpenWrt, I had to figure out how to add some extra blocklists, including those from EasyList and AdAway. In vanilla OpenWrt, we’ll have to use wget to retrieve files, and I like to make sure that I can use secure protocols when grabbing text files across the internet.
The scripts 🔗
ssl-in-wget.sh 🔗
To enable using SSL/TLS in wget, make a script called ssl-in-wget.sh with the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| #!/bin/sh
# Information from openwrt.org wiki: https://wiki.openwrt.org/doc/howto/wget-ssl-certs
#
# Script written by oct8l (www.oct8l.com)
#
# Script licensed as CC BY-NC-SA 3.0 (https://creativecommons.org/licenses/by-nc-sa/3.0)
# Make the directory for the SSL certs
mkdir -p /etc/ssl/certs
# Set the directory so wget knows where to look
export SSL_CERT_DIR=/etc/ssl/certs
# Reload the shell after the last step
source /etc/profile
#Update packages and install the newest version of wget along with certificates and utilities for SSL
opkg update
opkg install wget
opkg install openssl-util
#opkg install ca-certificates # Uncomment this line if you're running LEDE 17.01.4 or later
#opkg install ca-bundle # Uncomment this line if you're running LEDE 17.01.4 or later
#opkg install libustream-openssl # Uncomment this line if you're running LEDE 17.01.4 or later
echo
echo "--------------------------------"
echo "You can now wget from https URLs"
echo "--------------------------------"
|
From the OpenWrt wiki
Grab from ash with wget oct8l.gitlab.io/scripts/ssl-in-wget.sh
Make sure to check against the checksums at https://oct8l.gitlab.io/scripts/ssl-in-wget.sh_checksum.txt
Notice: Make sure you uncomment the first hashes in lines 19-21 if you’re running LEDE, or firmware version 2.27 or newer on the AR300M
Now you should have most major CA certificates installed and trusted on your router. This includes the certificates used for adaway.org and easylist.to at the time of writing.
Note: You can stop here unless you have an issue with a specific site’s certificate
If you attempt to use wget and get an error about the SSL certificates for a site not being trusted, you can use the script below to manually add a .cer file. If you need to retreive the .cer file, there are instructions at the OpenWrt wiki.
add-cert.sh 🔗
After you have the .cer file, create a script named add-cert.sh with the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
| #!/bin/sh
# author: joda
openssl=/usr/bin/openssl
certdir=$SSL_CERT_DIR
if [ ! -f $openssl ]; then
echo "ERROR: Can't find $openssl. openssl-util installed?" >&2
fi
if [[ "$1" = "-f" ]]; then
overwrite=1
shift # remove $1
fi
if [ -f "$1" ]; then
certfile=$1
certname=`basename $certfile`
echo "Certificate $certname"
echo " copy to $certdir"
if [ "1" -ne "$overwrite" ] && [ -f "$certdir/$certname" ]; then
echo >&2
echo "ERROR: certificate $certname exists" >&2
exit 2;
fi
cp "$1" "$certdir/$certname"
# create symbolic link from hash
echo -n " generating hash: "
HASH=`$openssl x509 -hash -noout -in $certfile`
echo "$HASH"
# handle hash collisions
suffix=0
while [ "1" -ne "$overwrite" ] && [ -h "$certdir/$HASH.$suffix" ]; do
let "suffix += 1"
done
echo " linking $HASH.$suffix -> $certname"
if [ $overwrite ]; then
ln -sf "$certname" "$certdir/$HASH.$suffix"
else
ln -s "$certname" "$certdir/$HASH.$suffix"
fi
else
echo >&2
echo "ERROR: file does not exist $1" >&2
echo >&2
echo "This script adds (root) certificates for wget(ssl) to $certdir." >&2
echo "SYNTAX: `basename $0` [Options] [x509-certificate]" >&2
echo >&2
echo "Option: -f force overwriting if certificate exists" >&2
fi
|
From the OpenWrt wiki
Grab from ash with wget https://gitlab.com/oct8l/openwrt-adblock/raw/ed327c55/addcert.sh
Now you should be all set to use SSL inside of wget!
