Omada OC200 API SSL

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Omada OC200 API SSL

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Omada OC200 API SSL
Omada OC200 API SSL
2023-05-07 16:15:00 - last edited 2023-05-07 16:40:21
Tags: #API
Model: OC200  
Hardware Version: V5
Firmware Version: 5.7.6

Hi,
I have a Raspberry PI that is setup as a DNS server. It has an A Record ( omada.local) for the Omada Controller IP 192.168.0.4.

I generated SSL certificate and keys using these commands. Can't paste due to sensitive language regulation frown



Omada Controller accepts either PEM, JKS or PFX file format for the SSL Cert and SSL Key.

I just renamed the above server.key to server.key.pem and server.csr to server.csr.pem since they are in the PEM format already.

Another way is rename them is using the openssl command: openssl rsa -in server.key -out server.key.pem


I am trying to connect to the API using SSL locally on my network. I have a Python script that tries to connect to the controller.
Issue I am facing is that SSL is not working and it is throwing out warnings


 InsecureRequestWarning: Unverified HTTPS request is
 being made to host 'omada.local'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings

I understand that it is a self signed certificate, not essentially since I created a root authority too but yeah it is not recognized. I have been at it for a couple of hours, trying to get it to work properly but it is being a pain. No idea what I am missing.

This is the Omada Controller setup



This is part of the script






I am using the Omada API Wrapper in Python which is this
https://github.com/ghaberek/omada-api

I am able to connect and get site info and clients info. It's just that the warnings are annoying. I can disable the warnings too but I really want SSL to work fine.

Please help and reply if you find anything that I am doing wrong.

Many thanks

  0      
  0      
#1
Options
3 Reply
Re:Omada OC200 API SSL
2023-05-08 03:03:39

  @farhan-tariq 

 

I am pretty sure you are asking for the impossible.  Certificates are to verify the owner of a public IP from the internet, not a private IP.  With the Omada routers NAT-loopback function it is possible to resolve your.public.ip.address port XX to your.domain port XX and have the router port map that to 192.168.0.4...and then this will work.  However, you will never get a working certificate setup for a 192.168.x.x address.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#2
Options
Re:Omada OC200 API SSL
2023-05-09 15:43:53

  @d0ugmac1 

Thanks for your reply. I was under the assumption that servers and clients under a private network essentially use SSL regardless I think.

  0  
  0  
#3
Options
Re:Omada OC200 API SSL
2023-05-09 15:53:49
They can, but it would be a self signed certificate for the local domain, I don't think you can have a trust chain established to a private IP by public cert orgs. So you could go the self sign route and then distribute a cert into all your client's root store so they will accept the ss cert as valid. That said, I think getting a public cert for your WAN IP, and using the NAT-loopback feature of the router would be easiest though. I do this with my NAS and Let's Encrypt and it works both internally and externally.
<< Paying it forward, one juicy problem at a time... >>
  2  
  2  
#4
Options