OC200 System Settings -> HTTPS Certificate Renew?
I have SSL Certificate & Key succesfully installed and working for accessing the controller UI. The certificate expires every so often and needs renewing and currently I have to do this manually via an Import in the UI. For every other device/server on my network I've got certificate renewal automated (crontab/ansible/whatever....), but not for this OC200. I searched the v2 and Open API docs and can't find anything to enable me to do this, is it possible in any way?
Thanks for any help.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@gwbuk I use a Caddy v2 reverse proxy. But it does require a server (I use a Ubuntu VM) that is open to the internet (TCP port 443) and a host name. But everything is automated. I was even able to limit traffic to my Controller to only my LAN.
There are certainly hoops to jump through though if you only want it on your LAN. You would also need a local DNS server. (but if you don't care if it is open to the public internet then you don't need a local DNS)
What I did was set my public DNS to resolve my URL to my office public IP address (let's say 34.35.36.37)
I set up my Omada Controller on my LAN (let's say 192.168.1.3)
Than I set up my internal DNS to resolve that same URL to the local IP Address of the Caddy server (let's say 192.168.1.10). This way my internal PC's will resolve to the LAN IP address of the Caddy server.
I set up port forwarding to forward port 443 to my Caddy server. This is simply to get the cert.
My Caddy server will go out and get a cert automatically for my URL.
I configured my Caddy server to reverse proxy my Omada Controller's IP address (192.168.1.3:8088). I also configured it to deny any traffic originating from outside my LAN. And, yes, you reverse proxy the controllers http address, not https. Caddy will encrypt the traffice to https.
Like I said, it is a bit of a pain to set up (although, not really that hard, I did it in 10 minutes). If it is something you want to explore, I can share my Caddyfile with you which defines the reverse proxy and sets up access logs.
But in the end, I have certs that auto renew, and I have been using Caddy for years now.
- Copy Link
- Report Inappropriate Content
Similar to above, I reverse proxy via my NAS which is set up with a Let'sEncrypt auto-renew cycle.
Just another reason to toast the OC200 and roll your own PI-based controller...then you can run certbot locally, fix the network time issues for portal tokens and the decrepit router support for DDNS, and also add in PiHole, Wireguard as functional containers--maybe Caddy now?. I'm now working on adding UPS-shutdown to my Pi-troller to help prevent corruption during power outages.
- Copy Link
- Report Inappropriate Content
@dougmac1
Thanks for the replies. It was, as I feared, a vain request. I hoped to keep the number of moving parts down, but that may not be possible.
One of the reasons for the request was that I have a periodic service running that queries the controller API for active clients and updates my separate local DNS server with the clients' addresses. I only run the DNS server because Omada doesn't do local DNS; now it looks like I'll need Caddy or similar too. It's starting to defeat the attraction of a supposedly Software Defined Network when key components lie outside the purview of the controller.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 697
Replies: 3
Voters 0
No one has voted for it yet.