Allowing SSL in wget on OpenWrt/LEDE

Posted April 4, 2018

Last updated March 6, 2019 | 9a69d23


4 minute read

Why? 🔗

For the post regarding blocking ads in OpenWrt, I had to figure out how to add some extra blocklists, including those from EasyList and AdAway. In vanilla OpenWrt, we’ll have to use wget to retrieve files, and I like to make sure that I can use secure protocols when grabbing text files across the internet.

The scripts 🔗

ssl-in-wget.sh 🔗

To enable using SSL/TLS in wget, make a script called ssl-in-wget.sh with the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/bin/sh

# Information from openwrt.org wiki: https://wiki.openwrt.org/doc/howto/wget-ssl-certs
#
# Script written by oct8l (www.oct8l.com)
#
# Script licensed as CC BY-NC-SA 3.0 (https://creativecommons.org/licenses/by-nc-sa/3.0)

# Make the directory for the SSL certs
mkdir -p /etc/ssl/certs
# Set the directory so wget knows where to look
export SSL_CERT_DIR=/etc/ssl/certs
# Reload the shell after the last step
source /etc/profile
#Update packages and install the newest version of wget along with certificates and utilities for SSL
opkg update
opkg install wget
opkg install openssl-util
#opkg install ca-certificates # Uncomment this line if you're running LEDE 17.01.4 or later
#opkg install ca-bundle # Uncomment this line if you're running LEDE 17.01.4 or later
#opkg install libustream-openssl # Uncomment this line if you're running LEDE 17.01.4 or later
echo
echo "--------------------------------"
echo "You can now wget from https URLs"
echo "--------------------------------"

From the OpenWrt wiki

Grab from ash with wget oct8l.gitlab.io/scripts/ssl-in-wget.sh
Make sure to check against the checksums at https://oct8l.gitlab.io/scripts/ssl-in-wget.sh_checksum.txt

  Notice: Make sure you uncomment the first hashes in lines 19-21 if you’re running LEDE, or firmware version 2.27 or newer on the AR300M

Now you should have most major CA certificates installed and trusted on your router. This includes the certificates used for adaway.org and easylist.to at the time of writing.

 Note: You can stop here unless you have an issue with a specific site’s certificate

If you attempt to use wget and get an error about the SSL certificates for a site not being trusted, you can use the script below to manually add a .cer file. If you need to retreive the .cer file, there are instructions at the OpenWrt wiki[^addcert.sh].

add-cert.sh 🔗

After you have the .cer file, create a script named add-cert.sh with the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/bin/sh
# author: joda
openssl=/usr/bin/openssl
certdir=$SSL_CERT_DIR
if [ ! -f $openssl ]; then
  echo "ERROR: Can't find $openssl. openssl-util installed?" >&2
fi
if [[ "$1" = "-f" ]]; then
   overwrite=1
   shift # remove $1
fi

if [ -f "$1" ]; then
  certfile=$1
  certname=`basename $certfile`
  echo "Certificate $certname"
  echo "  copy to $certdir"
  if [ "1" -ne "$overwrite" ] && [ -f "$certdir/$certname" ]; then
    echo >&2
    echo "ERROR: certificate $certname exists" >&2
    exit 2;
  fi
  cp "$1" "$certdir/$certname"

  # create symbolic link from hash
  echo -n "  generating hash: "
  HASH=`$openssl x509 -hash -noout -in $certfile`
  echo "$HASH"

  # handle hash collisions
  suffix=0
  while [ "1" -ne "$overwrite" ] && [ -h "$certdir/$HASH.$suffix" ]; do
    let "suffix += 1"
  done
  echo "  linking $HASH.$suffix -> $certname"
  if [ $overwrite ]; then
    ln -sf "$certname" "$certdir/$HASH.$suffix"
  else
    ln -s "$certname" "$certdir/$HASH.$suffix"
  fi
else
  echo >&2
  echo "ERROR: file does not exist $1" >&2
  echo >&2
  echo "This script adds (root) certificates for wget(ssl) to $certdir." >&2
  echo "SYNTAX: `basename $0` [Options] [x509-certificate]" >&2
  echo >&2
  echo "Option: -f      force overwriting if certificate exists" >&2
fi

From the OpenWrt wiki

Grab from ash with wget https://gitlab.com/oct8l/openwrt-adblock/raw/ed327c55/addcert.sh

Now you should be all set to use SSL inside of wget!