Doc's stupid simple instructions for installing (and maintaining!) a valid cert on a Linux EAP controller
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Doc's stupid simple instructions for installing (and maintaining!) a valid cert on a Linux EAP controller
So about 7 months ago I posted instructions for
hacking a valid certificate into a Windows EAP controller. Since then, TP-Link has done their customers a huge service by finally releasing the controller software for Linux. After being busy with other projects for a while, I decided it was time for me to jump ship to the Linux controller so I can literally pay half the cost I was paying for my Windows VPS (I'll probably ultimately migrate to an ODROID run locally, but this will do for now). Of course this made me recall my (mis)adventures in certificate land with the Windows controller. That brings me to the topic of today's post,
Stupid simple instructions for installing (and maintaining!) a valid cert on a Linux EAP controller
To start with, I'm going to recommend LetsEncrypt for your certificate needs -- but this should work with any valid cert from a major provider. Please note that if your system lives on an internal network and you can't temporarily forward port 80 to it, you'll have to procure the cert through other means, but these instructions will presume that you can run certbot and let it do its validation thing on port 80 one way or another.
1. Get your cert. Make it into a full chain if it isn't already (i.e. concatenate your cert and any intermediate certs into one file); move (or link) it to the following path/file:
/opt/tplink/EAPController/keystore/fullchain.pem
and move or link the private key to
/opt/tplink/EAPController/keystore/privkey.pem
2. Copy/paste the following shell script into the /opt/tplink/EAPController/keystore path:
[CODE]#!/bin/bash
MYPATH="`dirname \"$0\"`"
DATESTAMP=`date +"%Y%m%d_%H%M%S"`
cd $MYPATH
[ ! -f fullchain.pem ] && {
echo "Your certificate/chain does not exist in this path! Please copy or link it into the following location and try again:"
echo " $MYPATH/fullchain.pem"
echo ""
echo "Exiting..."
exit 1
}
[ ! -f privkey.pem ] && {
echo "Your private key does not exist in this path! Please copy or link it into the following location and try again:"
echo " $MYPATH/privkey.pem"
echo ""
echo "Exiting..."
exit 1
}
HOSTNAME=`openssl x509 -noout -subject -in fullchain.pem | grep -oP "CN=\K.*"`
[ -f eap.keystore ] && {
echo "Existing keystore found..."
[ ! -f eap.keystore.ORIG ] && {
echo "No .ORIG backup found, making backup..."
cp "eap.keystore" "eap.keystore.ORIG"
}
echo "Moving current keystore to \"eap.keystore.$DATESTAMP\"..."
mv "eap.keystore" "eap.keystore.$DATESTAMP"
}
echo "Packing fullchain.pem and privkey.pem into temporary PKCS#12 keystore..."
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -name eap -out keystore.p12 -password pass:myeapc
echo "Importing temporary PKCS#12 keystore into final JKS keystore..."
keytool -storetype jks -importkeystore -destkeypass tplink -deststorepass tplink -destkeystore eap.keystore -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass myeapc 2>&1 >/dev/null | grep -v "(Warning|proprietary)"
echo "Removing temporary keystore..."
rm -f keystore.p12
tpeap stop
tpeap start
echo "Done! You should now be able to log into your controller via https://${HOSTNAME}:8043/"
echo ""
[/CODE]
3. Save and exit, then make your script executable ( chmod +x scriptname )
4. Run the script! It will do the dirty work of backing up your existing keystore (using a date-based extension), packing the regular .pem certificate and key into a PKCS#12 keystore (so the java keytool can understand it), and importing the PKCS#12 keystore into the JKS keystore that the controller software requires!
If you have LetsEncrypt's certbot installed and can at least temporarily open up port 80 for it to do its validation thing, you can use it to obtain/renew your certificate, and link the fullchain.pem and privkey.pem files from certbot's certificate path (e.g. /etc/letsencrypt/live/example.com/) into the controller's keystore path. Then once you've obtained the cert via certbot, renewals are simply a matter of running certbot (e.g. certbot renew though you might need additional parameters depending on your configuration) and then running the script I provided!
If you have any questions or issues, please post here and I'll try to help as best I can :)
Stupid simple instructions for installing (and maintaining!) a valid cert on a Linux EAP controller
To start with, I'm going to recommend LetsEncrypt for your certificate needs -- but this should work with any valid cert from a major provider. Please note that if your system lives on an internal network and you can't temporarily forward port 80 to it, you'll have to procure the cert through other means, but these instructions will presume that you can run certbot and let it do its validation thing on port 80 one way or another.
1. Get your cert. Make it into a full chain if it isn't already (i.e. concatenate your cert and any intermediate certs into one file); move (or link) it to the following path/file:
/opt/tplink/EAPController/keystore/fullchain.pem
and move or link the private key to
/opt/tplink/EAPController/keystore/privkey.pem
2. Copy/paste the following shell script into the /opt/tplink/EAPController/keystore path:
[CODE]#!/bin/bash
MYPATH="`dirname \"$0\"`"
DATESTAMP=`date +"%Y%m%d_%H%M%S"`
cd $MYPATH
[ ! -f fullchain.pem ] && {
echo "Your certificate/chain does not exist in this path! Please copy or link it into the following location and try again:"
echo " $MYPATH/fullchain.pem"
echo ""
echo "Exiting..."
exit 1
}
[ ! -f privkey.pem ] && {
echo "Your private key does not exist in this path! Please copy or link it into the following location and try again:"
echo " $MYPATH/privkey.pem"
echo ""
echo "Exiting..."
exit 1
}
HOSTNAME=`openssl x509 -noout -subject -in fullchain.pem | grep -oP "CN=\K.*"`
[ -f eap.keystore ] && {
echo "Existing keystore found..."
[ ! -f eap.keystore.ORIG ] && {
echo "No .ORIG backup found, making backup..."
cp "eap.keystore" "eap.keystore.ORIG"
}
echo "Moving current keystore to \"eap.keystore.$DATESTAMP\"..."
mv "eap.keystore" "eap.keystore.$DATESTAMP"
}
echo "Packing fullchain.pem and privkey.pem into temporary PKCS#12 keystore..."
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -name eap -out keystore.p12 -password pass:myeapc
echo "Importing temporary PKCS#12 keystore into final JKS keystore..."
keytool -storetype jks -importkeystore -destkeypass tplink -deststorepass tplink -destkeystore eap.keystore -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass myeapc 2>&1 >/dev/null | grep -v "(Warning|proprietary)"
echo "Removing temporary keystore..."
rm -f keystore.p12
tpeap stop
tpeap start
echo "Done! You should now be able to log into your controller via https://${HOSTNAME}:8043/"
echo ""
[/CODE]
3. Save and exit, then make your script executable ( chmod +x scriptname )
4. Run the script! It will do the dirty work of backing up your existing keystore (using a date-based extension), packing the regular .pem certificate and key into a PKCS#12 keystore (so the java keytool can understand it), and importing the PKCS#12 keystore into the JKS keystore that the controller software requires!
If you have LetsEncrypt's certbot installed and can at least temporarily open up port 80 for it to do its validation thing, you can use it to obtain/renew your certificate, and link the fullchain.pem and privkey.pem files from certbot's certificate path (e.g. /etc/letsencrypt/live/example.com/) into the controller's keystore path. Then once you've obtained the cert via certbot, renewals are simply a matter of running certbot (e.g. certbot renew though you might need additional parameters depending on your configuration) and then running the script I provided!
If you have any questions or issues, please post here and I'll try to help as best I can :)