Certificate errors on log even with working certificate

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Certificate errors on log even with working certificate

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Certificate errors on log even with working certificate
Certificate errors on log even with working certificate
2023-11-07 13:35:33
Hardware Version: V5
Firmware Version: 5.12.7

Omada Software Controller 5.12.7 running on Linux (with Docker)

 

I managed to get the certificate and key working with LetsEncrypt DNS challenge for my local HTTPS. I can see the certificate is correctly applied to the controller, I don't get any alerts, and I can see the certificate in the browser is matching what I have uploaded. For those interested on making the same, you need DNS access for editing records: in my case, localmydomain is a A record to a local IP 192.168.0.x. You also need certbot installed, and acme-dns-auth.py (Google it). The --key-type rsa is required by Omada.


sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --key-type rsa --debug-challenges -d localmydomain

 

However, before I got it to work, I stumbled upon some issues with the key, as certbot does not by default generates a RSA encrypted key as required by the Omada controller. Now I keep getting these errors filling my logs:

 

11-07-2023 10:23:08.061 ERROR [https-jsse-nio-8043-exec-6] [] c.t.s.o.c.u.b.b(): Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
--- stack trace

11-07-2023 10:23:08.061 WARN [https-jsse-nio-8043-exec-6] [] c.t.s.o.i.p.m.t.TenantPO(): decrypt Aes of email error
--- stack trace

 

I tried the following to no results:

1) re-uploading the certificate

2) deleting the eap.keystore

3) deleting the certificate

 

How can I make these errors go away? I will wait a couple of more days and will delete the entire Omada data if I can find a solution, and restart from scratch..

  0      
  0      
#1
Options
3 Reply
Re:Certificate errors on log even with working certificate
2023-11-09 01:08:52

Hello @LucianoR,

 

Which kind of file the certificate you have? JKS/PFX/PEM?

 

LucianoR wrote

I stumbled upon some issues with the key, as certbot does not by default generates a RSA encrypted key as required by the Omada controller.

 

Do you think the key generated by certbot is incompatible with Controller?

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:Certificate errors on log even with working certificate
2023-12-01 18:56:29

  @Hank21 PEM.

 

If it can be loaded into the UI, it's compatible, right?

  0  
  0  
#3
Options
Re:Certificate errors on log even with working certificate
2023-12-05 06:09:40 - last edited 2023-12-05 06:10:01

Hi @LucianoR

 

LucianoR wrote

I can see the certificate is correctly applied to the controller, I don't get any alerts, and I can see the certificate in the browser is matching what I have uploaded. For those interested on making the same, you need DNS access for editing records: in my case, localmydomain is a A record to a local IP 192.168.0.x. You also need certbot installed, and acme-dns-auth.py (Google it). The --key-type rsa is required by Omada.

 

Depending on your description, they should be compatible.

 

LucianoR wrote

However, before I got it to work, I stumbled upon some issues with the key, as certbot does not by default generates a RSA encrypted key as required by the Omada controller. Now I keep getting these errors filling my logs:

 

11-07-2023 10:23:08.061 ERROR [https-jsse-nio-8043-exec-6] [] c.t.s.o.c.u.b.b(): Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
--- stack trace

11-07-2023 10:23:08.061 WARN [https-jsse-nio-8043-exec-6] [] c.t.s.o.i.p.m.t.TenantPO(): decrypt Aes of email error
--- stack trace

 

It is suggested that you convert the PEM certificates to PFX and JKS, or regenerate the PFX and JKS files, and then re-import them to see if the same problem occurs.
If you don't have the same problem, it may mean that there is wrong in the key during the process of generating PEM.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#4
Options