Push certificates to controller?
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Is there any way to upload new certs to the controller? ie. Not using the gui?
I have an opnsense firewall that's auto-renewing a wildcard cert.
It comes with automations ability eg. When it renews, it the automatically uploads the cert to my synology nas.
I'd like to do the same with the controller
Looking on opnsense, I can see .cer, .key and .csr files. I'm guessing I can do some magic with openssl to convert the .cer to a .pem ??
Automations available uploading via sftp or running a remote command via ssh.
Thoughts?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I am looking for the exact same solution. Returning to the gui to re-upload a cert periodically is not desirable when there are plenty of good ways to automate certificate creation.
I've poked around a little at the UI to see if it would be feasible via wget automation, but the login flow appears to be somewhat complex.
- Copy Link
- Report Inappropriate Content
The Omada API would be the way to go. You'll need to modify one of the many scripts available on the internet for this specific case, but it shouldn't be that difficult. I know there's a Python script out there (google it) and you can run that on your Synology if the router doesn't support. I can help with some of the API commands if they aren't fully documented yet. I'm interested as I have a similar setup...except my Synology is doing all the magic cert renewals.
- Copy Link
- Report Inappropriate Content
I got some API commands working and uploaded a new cert in a debug environment last night. I just need to clean up my script and get it pushed back to github.
I'll share it as soon as I can.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
I got this working locally to upload PEM cert/privkey from Let's Encrypt: https://github.com/jsestrich/omada-api/blob/main/upload_cert.py
You'll need to setup an omada.cfg file (see the Settings file in the README https://github.com/jsestrich/omada-api#settings).
- Copy Link
- Report Inappropriate Content
I am using certbot on my omada server. I have created a deploy renewal-hooks script which replaces the Omada keystore and certificate after renewing the certificate. A new keystore needs to be created with the correct password defined in the omada config file. After replacing the keystore the Omada controller needs to be restarted. This has worked for me for almost a year now.
Hope this helps.
---
#!/bin/bash umask 027 CERT=$RENEWED_LINEAGE/cert.pem KEY=$RENEWED_LINEAGE/privkey.pem CHAIN=$RENEWED_LINEAGE/fullchain.pem BUNDLE=/tmp/omada.p12 KEYSTORE=/tmp/omada.keystore PASSWORD=tplink # Create a PKCS12 bundle /usr/bin/openssl pkcs12 -export -in $CERT -inkey $KEY -CAfile $CHAIN -out $BUNDLE -caname root -name eap -chain -passout pass:$PASSWORD # Create a new keystore with the PKCS12 bundle /usr/bin/keytool -importkeystore -storetype PKCS12 -srcstoretype PKCS12 -srckeystore $BUNDLE -srcstorepass $PASSWORD -destkeystore $KEYSTORE -destkeypass $PASSWORD -deststorepass $PASSWORD # remove the PKCS12 bundle rm $BUNDLE # deploy the new keystore mv $KEYSTORE /opt/tplink/EAPController/data/keystore/eap.keystore cp $CERT /opt/tplink/EAPController/data/keystore/eap.cer # Restart the controller /usr/bin/systemctl restart omada
- Copy Link
- Report Inappropriate Content
Quick update: I have fixed up the code to handle PEM, PFX and JKS files (all the current options in the UI). I have a pull request open to push the code back to the original author's repo, but my local repo will work in the meantime.
I successfully have the upload program connected to my certbot renewal hooks and have it updating regularly.
- Copy Link
- Report Inappropriate Content
For me on OPNsense:
I created a cert for 10 years, imported on controller.
Done, well at least for now it seems....
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1421
Replies: 7
Voters 0
No one has voted for it yet.