Automate SSL/TLS certificates for your GL.iNet router with Let's Encrypt!
If you find this tool helpful, consider supporting its development:
The enable-acme.sh script enables the Automated Certificate Management Environment (ACME) for GL.iNet routers. It automatically requests a Let's Encrypt certificate for your router's DDNS domain and configures nginx to use it, providing secure HTTPS access to your router's web interface.
Created by Admon for the GL.iNet community.
ποΈ Community Maintained β Part of the GL.iNet Toolbox project
β οΈ Independent Project β Not officially affiliated with GL.iNet or Let's Encrypt
- π Automatic SSL/TLS Certificates β Requests and installs Let's Encrypt certificates
- π Auto-Renewal β Certificates renew automatically via cron job with randomized timing
- π DDNS Integration β Works seamlessly with GL.iNet DDNS
- π IPv4/IPv6 Dual-Stack β Full support for both IPv4 and IPv6 networks
- π Port Reachability Check β Verifies port 80 accessibility via GL.iNet Community Reflector service
- βοΈ Dual Webserver Support β Configures both nginx (GL.iNet GUI) and uhttpd (LuCI)
- π― Dynamic Port Detection β Automatically detects uhttpd ports and preserves configuration
- π‘οΈ Firewall Management β Intelligent firewall control during certificate issuance and renewal
- β Validation Checks β Verifies DDNS and public IP match before proceeding
- π Random Renewal Time β Daily renewal checks at random times (Let's Encrypt best practice)
- πΎ Optimized Persistence β Smart persistence strategy avoiding firmware upgrade conflicts
- π§ Restore Function β Easy restoration to factory default configuration
- π€ Unattended Mode β Support for automated installations with --force flag
- π Modern acme.sh β Uses acme.sh v3.0.7 directly (no UCI dependencies)
| Requirement | Details |
|---|---|
| Router | GL.iNet router with firmware v4.x or later |
| Internet | Working internet connection (IPv4 and/or IPv6) |
| DDNS | DDNS must be enabled and configured |
| IP Match | DDNS IP must match router's public IP (verified by script) |
| Port 80 | Port 80 must be reachable from the internet |
| Webserver | nginx or uhttpd (or both) installed |
β οΈ Note: VPN IP addresses are not supported. The certificate is issued for the router's public IP.π‘ IPv6 Support: The script automatically detects and uses IPv6 if available alongside IPv4.
π Port Check: The script uses GL.iNet Reflector service to verify port 80 accessibility before attempting certificate issuance.
Run the script without cloning the repository:
wget -O enable-acme.sh https://get.admon.me/acme-update && sh enable-acme.shFollow the on-screen instructions to complete the ACME setup.
Before installing, you can test if port 80 is reachable from the internet:
sh enable-acme.sh --reflectorThis performs a comprehensive connectivity check using the GL.iNet Reflector service.
- Download the script onto the router (or use the Quick Start command above)
- Open an SSH connection to the router
- Navigate to the directory where the script is located
- Execute the script:
sh enable-acme.sh- Follow the on-screen instructions to complete the ACME process
During installation, you'll be asked if you want to make the installation permanent. If you choose "yes", the certificate files and renewal wrapper script will be preserved during firmware upgrades by adding them to /etc/sysupgrade.conf.
This means:
- β Your ACME certificates survive firmware updates
- β Renewal wrapper script is preserved
- β Webserver configurations are NOT persisted (to avoid conflicts)
- β Simply re-run the script after upgrading to reconfigure webservers
π‘ Why not persist webserver configs? GL.iNet firmware updates may change nginx/uhttpd configurations. By not persisting them, we avoid potential conflicts. The script quickly reconfigures webservers using your existing certificates after a firmware upgrade.
While certificates renew automatically, you can manually trigger renewal:
sh enable-acme.sh --renewOr if you installed the script to /usr/bin:
/usr/bin/enable-acme --renewThe enable-acme.sh script supports the following options:
| Option | Description |
|---|---|
--renew |
Manually renew the ACME certificate |
--restore |
Restore webservers to factory default configuration |
--reflector |
Test port 80 reachability via GL.iNet Reflector service |
--force |
Skip all confirmation prompts (for unattended installation) |
--log |
Show timestamps in log messages |
--ascii |
Use ASCII characters instead of emojis |
--help |
Display help message |
Standard Installation:
sh enable-acme.shUnattended Installation (no prompts):
sh enable-acme.sh --forceRenew Certificate:
sh enable-acme.sh --renewRestore to Factory Default:
sh enable-acme.sh --restoreASCII Mode (for older terminals):
sh enable-acme.sh --asciiWith Timestamps:
sh enable-acme.sh --logThe certificate will be renewed automatically by a cron job installed by the script. The cron job runs at a randomized daily time (following Let's Encrypt best practices to distribute server load).
How it works:
- β° Cron job triggers at random daily time (between 00:00-23:59)
- π‘οΈ Opens firewall port 80 temporarily
- π Disables HTTP on webservers (preserving original port configuration)
- π Runs acme.sh renewal (only renews if expiring within 60 days)
- π Re-enables HTTP on webservers
- π‘οΈ Closes firewall port 80
Dual Webserver Support:
- nginx (GL.iNet GUI): Automatically detected and managed on port 80/443
- uhttpd (LuCI): Automatically detected and managed on configured ports (typically 8080/8443)
- Both webservers receive the same certificate
- Port configuration is dynamically detected and preserved
No manual intervention is required β just let it run!
To restore the webserver configurations to factory default and remove ACME certificates, use the built-in restore function:
sh enable-acme.sh --restoreThis will:
- β Restore HTTP access on all webservers (nginx and/or uhttpd)
- β Revert to self-signed certificates
- β Restore original port configurations (dynamically detected)
- β Remove ACME firewall rules
- β Remove ACME configuration and certificates
- β Remove renewal wrapper script and cron job
- β Clean up sysupgrade.conf entries
- β Restart all affected webservers
The script uses the GL.iNet Community Reflector service for comprehensive connectivity testing:
Features:
- Port 80 reachability verification
- IPv4 and IPv6 detection
- Detailed diagnostic feedback
Need assistance or have questions?
- π¬ Join the discussion on GL.iNet Forum β Community support
- π¬ Join GL.iNet Discord β Real-time chat
- π Report issues on GitHub β Bug reports and feature requests
- π§ Contact via forum private message β For private inquiries
This script is provided as-is without any warranty. Use it at your own risk.
It may potentially:
- π₯ Break your router, computer, or network
- π₯ Cause unexpected system behavior
- π₯ Even burn down your house (okay, probably not, but you get the idea)
You have been warned!
Always read the documentation carefully and understand what a script does before running it. Ensure you have sufficient permissions to execute the script. The script behavior may vary depending on the router model and firmware version.
This project is licensed under the MIT License β see the LICENSE file for details.
This project is part of a comprehensive collection of tools for GL.iNet routers.
Explore more tools and utilities:
Discover Tailscale Updater, AdGuard Home Updater, and more community-driven projects!
Made with β€οΈ by Admon for the GL.iNet Community
β If you find this useful, please star the repository!
Last updated: 2026-01-07
Last updated: 2026-05-24