Omada v4.1.5 SSL issue
Hello All,
I installed Omada v4.1.5 and everything was working fine BUT after apply our CA SSL, I can't access the web-interface and getting this message:
This site can’t provide a secure connectionlocalhost uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
So, How can I revert back to the localhost SSL ?
Also, what is the best practics to apply a custom SSL ?
Thanks
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Dear all,
The soulation as follow:
first of all Omada ONLY supports JKS certificate files and no more files supported. So, If you upload a wrong certificate through the web interface, the web interface won't be lunched or working as I received an error message. to fix it you have to go the Omada directory C:\Users\YOURNAME\Omada Controller\data\cer then you will find a file called jetty.jks delete this file a creat a new JKS certificate through KeyStore Explorer Software
KeyStore Explorer Software:
1- file > New - JKS
2- tools > Generate key pair - RSA 4,096 - edit name - write down all information needed CN=(omada's FQDN)
3- enter password for that key pair
4- tools > import trusted certificate - you have to add the p12 file created by your CA
note: windows CA creats PFX file, just rename the extention to .p12
5- file > save as - save it as a JKS file and enter the same password for the key pair
6- lunch Omada and make sure that you delete the jetty.jks file.
7- login to Omada comtroller then setting > Controller - then upload the JKS certificate we made and put the password then everything will be fine
Thanks and hope that it's clear for everyone
- Copy Link
- Report Inappropriate Content
it's solved by myself. Thanks you
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Dear all,
The soulation as follow:
first of all Omada ONLY supports JKS certificate files and no more files supported. So, If you upload a wrong certificate through the web interface, the web interface won't be lunched or working as I received an error message. to fix it you have to go the Omada directory C:\Users\YOURNAME\Omada Controller\data\cer then you will find a file called jetty.jks delete this file a creat a new JKS certificate through KeyStore Explorer Software
KeyStore Explorer Software:
1- file > New - JKS
2- tools > Generate key pair - RSA 4,096 - edit name - write down all information needed CN=(omada's FQDN)
3- enter password for that key pair
4- tools > import trusted certificate - you have to add the p12 file created by your CA
note: windows CA creats PFX file, just rename the extention to .p12
5- file > save as - save it as a JKS file and enter the same password for the key pair
6- lunch Omada and make sure that you delete the jetty.jks file.
7- login to Omada comtroller then setting > Controller - then upload the JKS certificate we made and put the password then everything will be fine
Thanks and hope that it's clear for everyone
- Copy Link
- Report Inappropriate Content
@mohkhalifa, note that the proprietary JKS format is deprecated. You can use PKCS12 format directly.
See this post how to import a certificate in PKCS12 format in Omada Controller. Albeit the post explains the steps necessary under Linux, you can apply them to Windows, too, if you have openssl and the JDK's keytool utility. Probably the web UI of SDN Controller also accepts PKCS12 format, didn't test this (yet).
- Copy Link
- Report Inappropriate Content
Dear @R1D2,
Please note while I'm try to upload any other format, I'm receving a message that "only JKS files are suppported". Also, Please don't forget that Omada v4.1.5 based on Java enviroment and not like old Omada.
I prefered my method and it's much easier than that article. KeyStore Explorer doing everything without keystore tool or openssl.
- Copy Link
- Report Inappropriate Content
Hi mohkhalifa,
yes, as I wrote I didn't try uploading the cert through the web UI, but I checked: it indeed accepts only JKS format, which is bad.
Why is it bad? Because JKS certificates are based on an old, proprietary format (outdated since 2014), that is not easily extensible to new cryptographic algorithms. Old ones will still be supported in the future by the JDKs, but new cryptographic algorithms might not be supported at all, so the conversion of SSL certs to PKCS12 is just a matter of time when new cryptographic algorithms are used for the certs.
Anyway, the method to install a PKCS12 cert by manually copying it to the keystore still works fine with SDN Controller.
So, Omada SDN Controller does indeed accept PKCS12, which is no surprise because PKCS12 is supported by any JDK since JDK 8 released in 2014. It's just the SDN Controller's web UI which does not allow uploading PKCS12. I consider this a bug.
I prefer the openssl method b/c of several reasons, the most important one is that for certificates signed by a public or a private CA I have to generate a CSR using openssl anyway. So I convert the resulting certs into other formats also with openssl.
For systems in my LAN I do not buy certificates, but use self-signed certificates under my own Certificate Authority. By using a wildcard certificate with a subnet IP as SAN I can create and sign a single certificate for all local hostnames as well as for all local IPs of devices in my LAN, be it a router, a switch, a server or a service. And I just have to install the RootCA cert in a bowser's keychain once, not dozens of individual certificates for each host/service. Pretty easy.
But you are absolutely right that any certificate manager can be used for those who prefer a graphical UI. I fully agree with you in this point.
I just wanted to point out that using JKS format is deprecated for 6 years now and since you had to create a PKCS12 anyway with Keystore Explorer, you could have even saved one step in the conversion process. There is nothing wrong to use this fine software to convert and manage certs. See http://openjdk.java.net/jeps/229.
The only difference to use the PKCS12 format would be to not use the web UI for uploading, but to copy the file to the Omada SDN Controller home directory resp. the keystore in it, at least until this bug in the web UI of accepting only JKS format will have been fixed by TP-Link.
For OC200 HW Controller, unfortunately this is no option.
Installing the certificate in PKCS12 format manually into the keystore is just a matter of seconds. Creating the certificate can still be done in any way one likes.
- Copy Link
- Report Inappropriate Content
@R1D2 which means both methods are correct.
At the end I hope this discussion is helpful for others :)
- Copy Link
- Report Inappropriate Content
mohkhalifa, Thank you for sharing this. And I've learned much from this discussion today.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 4298
Replies: 8
Voters 0
No one has voted for it yet.