Tp-link EAP Controller on Nethserver

Yes, man. No it works! :star_struck:
Thanks a lot! :+1:

maybe FYI:

@sharpec I found, that if you want to batch upgrade EAPs, you have to open port 27001 and 27002.

Good job Enzo!

Hi, I try to install a TP-Link Controllersoftware (v3.0.2) for 3 EAP110 APs. I used the following commands:

# install jsvc
yum install jsvc

# Download the Software and start the script
tar -zxvf Omada_Controller_V3.0.2_Linux_x64_targz.tar.gz
cd Omada_Controller_V3.0.2_Linux_x64_targz

mkdir -p /etc/e-smith/db/configuration/defaults/tpeap
echo "service" > /etc/e-smith/db/configuration/defaults/tpeap/type
echo "enabled" > /etc/e-smith/db/configuration/defaults/tpeap/status
config set tpeap service status enabled
signal-event runlevel-adjust

# open port 8043
config setprop tpeap TCPPort 8043
config setprop tpeap access green
signal-event firewall-adjust

# stop eap controller
tpeap stop

# backup eap keystore
cp /opt/tplink/EAPController/keystore/eap.keystore ~

# create pkcs12 out of crt and key
openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey /etc/pki/tls/private/localhost.key -name eap -out mycert.p12

# import cert to keystore
/root/Omada_Controller_V3.0.2_Linux_x64_targz/jre/bin/keytool -importkeystore -deststorepass tplink -destkeystore /opt/tplink/EAPController/keystore/eap.keystore -srckeystore mycert.p12 -srcstoretype PKCS12

Enter source keystore password:<the-password-you-created-bevor>
Existing entry alias eap exists, overwrite? [no]:  yes

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/tplink/EAPController/keystore/eap.keystore -destkeystore /opt/tplink/EAPController/keystore/eap.keystore -deststoretype pkcs12".

# Start the EAP Controller, the new cert should be imported:
tpeap start

I am not sure howto go farther, I guess I should use https://my-neth-ip:8043 to connect to the controller but there is no reation… I just have a green IP on this server, do I need to open the Ports:

UDP 29810
TCP 29811
TCP 29812


27001 ( I guess TCP)
27002 ( I guess TCP)

And what commands are used to open the ports ?

I did it that way:



EAP Controller works fine for me. :+1:


Hi, thank you Ralf. I think I will do it agn on a fresh installed server, next week. Thank you…

OK, I had some time to do it agn. If I try to load https://my-server-ip:8043 (firefox), I will get this error:

I don’t know anything about the TP-Link controller, but that error means it’s talking HTTP and you’re trying to connect via HTTPS.


Sorry for late response.
This is not normal. I get the regular warning about SSL-certs:


But I’m using my own certs. Not the original ones created by NS.
I created my own authority and installed it on all machines in the LAN as trusted authority.
I did this, because of the missing SAN (subjectAltName) in NS-SSL-cert.

If you need help to do this, please ping me. But if so, please be a little patient. I’m not good available these days.

1 Like

Hi Ralf, yes that would be great !

I want to say, that I’m not completely through with SSL and cert stuff, but this is the way I do it and this satisfies my needs and works fine for me. If there is a better, faster, easier, saver or what ever way to do this, I’m happy to learn. :wink:

I do this in directory /root/ssl

So here we go:

  1. create rootCA.key (2048 bit)
    You will be asked for a paraphrase. Please keep it, you’ll need it again.
  2. create rootCA.crt (10 year valid / 3650 days)
    You will be asked severel inputs, but they are self explaining IMO
    I use here for the common name, which is the keypoint: authority.domain.tld
  3. create and edit v3.ext file
    change “DNS.1 = yourserver.domain.tld” to your needs
  4. create server.key
  5. create server.crt
    important: the commonname must match your “server.domain.tld”
  6. copy server.key to /etc/pki/tls/private
  7. copy server.crt to /etc/pki/tls/certs
  8. set this cert as default in GUI

ad 1 openssl genrsa -des3 -out rootCA.key 2048
ad 2 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt
ad 3 content of v3.ext file:

        keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
        subjectAltName = @alt_names

        DNS.1 = yourserver.domain.tld

ad 4 openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key
ad 5 openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext

Now you should have these file in your directory:

Now do step 6 to 8.

If you install the rootCA.crt as trusted authority on you client, the server cert should be accepted as trusted:


These certs are accepted by newer browsers which proove the subjectAltName like opera or firefox.
Please keep in mind, that firefox has it’s own cert-memory.

PS: I’m using only Win-clients. Can’t give advice to import certs to linux PCs.

If you have any problems, feel free to ask me.

So long.

PPS: Please forgive me any typos. :slight_smile:

EDIT: for a deeper understanding please have a look at:


Nice Job, thank you very much, I appreciate that !

Did this HowTo work for you?

I tried it a few times on a fresh installed virtual NethServer but was not able to… I then had to stop because the lack of time… ATM I run it under Windows7 (shame on me :joy:)…

1 Like

Version 4.x is out, did you install it?

Sorry, no. I’m still on V 3.2.9.

Will give V4 a try next days.

EDIT: Can’t upgrade to V4 because of one EAP 115 V 2 in my network. There no firmware for it for the new SDN-Controller it seems.

Thats bad luck, but not a big problem…

SSL-Cert creation and import on Win10 PC went well but howto use it / import it on Nethserver?

I think the Alternative names are now implemented?

Just copy the cert to /etc/pki/tls/certs/ and the key to /etc/pki/tls/private/ and it will appear here:

Yes. You can also give here the IP-adress to have a valid cert if you reach the server through it’s IP.