Automating Let's Encrypt Certs for DD-WRT with 17 Jan, 2021 Automating Let's Encrypt Certs for DD-WRT with

Following up on previous notes on setting up Let’s Encrypt for private networks and SSL for DD-WRT routers, here’s notes on automating renewal of Let’s Encrypt certificates using

I use Hurricane Electric’s free DNS service for delegating DNS management for the the private subdomains – DNS resolution is handled externally, but certificates are provisioned on the private network. You can find other free DNS providers on the Let’s Encrypt community page.

If you don’t want to make your private subdomain public, you can create a dummy.domain.ext, for example, and fetch wildcard certificates instead. If you are willing to open port 53 on your router and port forward, here’s another alternative. Open to more suggestions, please post them in the comments.

Setup Instructions

  • Prerequistites are a DD-WRT router with exeternal USB storage support. My notes on the setup are here and here.
  • First, delegate your subdomain’s public DNS resolution to by setting up NS records for subdomain.domain.ext to point to ns[1-5], then add the subdomain to via ‘Add a new domain’ page on the ‘Zone Functions’ menu.
  • Then, download, give it execute permissions: chmod +x ./
  • Next, run the following by adjusting the variables as appropriate.
export HE_Username=""
export HE_Password=""

./ --install  \
--home /jffs/etc/ \
--config-home /jffs/etc/ \
--cert-home  /jffs/etc/ \
--accountemail  "email@domain.ext" \
--useragent  "DD-WRT" --force
  • Then copy the corresponding dns_<provider>.sh from to /jffs/etc/
  • Test issuing a new cert: # /jffs/etc/ --issue --dns dns_he -d subdomain.domain.ext --config-home /jffs/etc/ 2>&1 >> /jffs/etc/ --staging --force
  • Revoke the test cert # /jffs/etc/ --revoke -d subdomain.domain.ext --revoke-reason 4 --config-home /jffs/etc/ --staging
  • Issue a production certificate by running the issue command above without --staging option.
  • Setup cron. Remember to prefix the cron command with root as pointed out here.
# Every day at 3 AM:*_*_*
0 3 * * * root /jffs/etc/ --renew --dns dns_he -d subdomain.domain.ext --config-home /jffs/etc/ >> /jffs/etc/ # --staging --force


Tags  ·   DD-WRT  ·   LetsEncrypt  ·   Certificate  ·  ·   Show Comments ▾

Original design for Tumblr crafted by Prashanth Kamalakanthan.
Adapted for Tumblr & Jekyll by Sai Charan. Customized theme available on Github.

Sai Charan's blog by Sai Charan is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
Creative Commons License