Push certificates to controller?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Push certificates to controller?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Push certificates to controller?
Push certificates to controller?
2022-12-23 03:06:21
Tags: #Controller #certificate
Model: OC300  
Hardware Version: V1
Firmware Version: 5.7.6

Is there any way to upload new certs to the controller? ie. Not using the gui?

 

I have an opnsense firewall that's auto-renewing a wildcard cert.

It comes with automations ability eg. When it renews, it the automatically uploads the cert to my synology nas.

I'd like to do the same with the controller

 

Looking on opnsense, I can see .cer, .key and .csr files. I'm guessing I can do some magic with openssl to convert the .cer to a .pem ??

 

Automations available uploading via sftp or running a remote command via ssh.

 

Thoughts?

  0      
  0      
#1
Options
8 Reply
Re:Push certificates to controller?
2023-02-27 05:49:50 - last edited 2023-02-27 05:50:02

I am looking for the exact same solution. Returning to the gui to re-upload a cert periodically is not desirable when there are plenty of good ways to automate certificate creation.

 

I've poked around a little at the UI to see if it would be feasible via wget automation, but the login flow appears to be somewhat complex.

  0  
  0  
#2
Options
Re:Push certificates to controller?
2023-02-27 14:31:27

  @peterdeg @ragejage 

 

The Omada API would be the way to go.  You'll need to modify one of the many scripts available on the internet for this specific case, but it shouldn't be that difficult.  I know there's a Python script out there (google it) and you can run that on your Synology if the router doesn't support.  I can help with some of the API commands if they aren't fully documented yet.  I'm interested as I have a similar setup...except my Synology is doing all the magic cert renewals.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#3
Options
Re:Push certificates to controller?
2023-02-27 17:28:07

  @d0ugmac1 

 

I got some API commands working and uploaded a new cert in a debug environment last night. I just need to clean up my script and get it pushed back to github.

 

I'll share it as soon as I can.

  1  
  1  
#4
Options
Re:Push certificates to controller?
2023-02-27 18:26:05 - last edited 2023-02-27 18:26:25

  @ragejage 

 
 
It will be a very kind deed on your part, for our community. Thank you
  0  
  0  
#5
Options
Re:Push certificates to controller?
2023-03-01 06:10:29

  @peterdeg 

 

I got this working locally to upload PEM cert/privkey from Let's Encrypt: https://github.com/jsestrich/omada-api/blob/main/upload_cert.py

 

You'll need to setup an omada.cfg file (see the Settings file in the README https://github.com/jsestrich/omada-api#settings).

  0  
  0  
#6
Options
Re:Push certificates to controller?
2023-03-01 09:51:29

I am using certbot on my omada server. I have created a deploy renewal-hooks script which replaces the Omada keystore and certificate after renewing the certificate. A new keystore needs to be created with the correct password defined in the omada config file. After replacing the keystore the Omada controller needs to be restarted. This has worked for me for almost a year now.

 

Hope this helps.

 

---

#!/bin/bash
umask 027

CERT=$RENEWED_LINEAGE/cert.pem
KEY=$RENEWED_LINEAGE/privkey.pem
CHAIN=$RENEWED_LINEAGE/fullchain.pem
BUNDLE=/tmp/omada.p12
KEYSTORE=/tmp/omada.keystore

PASSWORD=tplink

# Create a PKCS12 bundle
/usr/bin/openssl pkcs12 -export -in $CERT -inkey $KEY -CAfile $CHAIN -out $BUNDLE -caname root -name eap -chain -passout pass:$PASSWORD

# Create a new keystore with the PKCS12 bundle
/usr/bin/keytool -importkeystore -storetype PKCS12 -srcstoretype PKCS12 -srckeystore $BUNDLE -srcstorepass $PASSWORD -destkeystore $KEYSTORE -destkeypass $PASSWORD -deststorepass $PASSWORD

# remove the PKCS12 bundle
rm $BUNDLE

# deploy the new keystore
mv $KEYSTORE /opt/tplink/EAPController/data/keystore/eap.keystore
cp $CERT /opt/tplink/EAPController/data/keystore/eap.cer

# Restart the controller
/usr/bin/systemctl restart omada
  2  
  2  
#10
Options
Re:Push certificates to controller?
2023-03-24 04:28:49

  @ragejage 

 

Quick update: I have fixed up the code to handle PEM, PFX and JKS files (all the current options in the UI). I have a pull request open to push the code back to the original author's repo, but my local repo will work in the meantime.

 

I successfully have the upload program connected to my certbot renewal hooks and have it updating regularly.

  0  
  0  
#11
Options
Re:Push certificates to controller?
2023-03-26 10:30:54

  @peterdeg 

For me on OPNsense:

I created a cert for 10 years, imported on controller.

Done, well at least for now it seems....

  0  
  0  
#12
Options