Hacking a valid cert into the EAP controller software

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Re:Hacking a valid cert into the EAP controller software
2018-01-26 04:47:08
Hi All,
I realise this is an old thread but it is the only one I can find on the topic on replacing the SSL Cert.

I am having the java.security.UnrecoverableKeyException: Cannot recover key error. I have tried importing it using the GUI. This is on an ubuntu based controller.

This is what I have done:

./certbot-auto certonly --standalone --preferred-challenges http -d mydomain.net

openssl pkcs12 -export -inkey /etc/letsencrypt/live/mydomain.net/privkey.pem -in /etc/letsencrypt/live/mydomain.net/cert.pem -certfile /etc/letsencrypt/live/mydomain.net/chain.pem -name eap -out mydomain.p12

delete the existing keystore

keytool -importkeystore -deststorepass tplink -destkeystore /path/to/keystore/eap.keystore -srckeystore mydomain.p12 -srcstoretype PKCS12

tpeap stop
tpeap start

Is there anything obvious. I can't believe nearly a year on this still isn't easy

Thanks
0
0
#12
Options
Re:Hacking a valid cert into the EAP controller software
2018-01-26 05:05:22
OK... for others following this thread. I have just worked it out.

The password you set in step 5, *must* be tplink.

openssl pkcs12 -export -in MYSITE.crt -inkey [I]MYSITE.key -name eap -out [I]MYSITE.p12[/I][/I]
[I][I]it is important that the "name" parameter is "eap"![/I][/I]
[*][I][I]use an easy-to-remember password, you'll need it a few steps later (then it will be irrelevant)[/I][/I]
0
0
#13
Options
Re:Hacking a valid cert into the EAP controller software
2020-02-03 15:44:16 - last edited 2020-02-03 16:21:23

I just successfully used an LE cert on my controller. Here is what I did.

 

First I created a script that stops the controller, builds a new keystore and then starts the server. You can get the script here:

https://pastebin.com/raw/U1zYQGHe

 

Then I generate the new cert using acme.sh (https://acme.sh) and reference my script (reloadEAP.sh) similar to this:

./acme.sh --issue --dns dns_cf -d eap.example.com --reloadcmd /root/.acme.sh/reloadEAP.sh

 

If you want acme.sh to setup a cron job to automatically renew the cert and automatically inject it into the EAP controller just run this command:

./acme.sh --install

 

Obviously you will need to alter the paths in the script and find the right command line options for generating a cert with acme.sh for your environment. You don't have to use acme.sh, my relaodEAP.sh script could be adapted to work with any cert you want. I'm mostly using the steps I found in this thread only I added the password to the command lines so it can be run without user interaction.

 

Hope this helps someone.

1
1
#14
Options
Re:Hacking a valid cert into the EAP controller software
2020-02-03 16:12:19

See this recipe for an easy way to permanently install an own SSL certificate in Omada Controller:

https://community.tp-link.com/en/business/forum/topic/150083

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#15
Options
Re:Hacking a valid cert into the EAP controller software
2020-02-03 16:19:01

@R1D2 

 

That works too if you want to renew by hand.

0
0
#16
Options
Re:Hacking a valid cert into the EAP controller software
2020-08-09 20:07:51
This worked for me!
Working at Stampede, trying to rid the world of poor captive portals https://stampede.ai
0
0
#17
Options