Yes, man. No it works!
Thanks a lot!
maybe FYI:
@sharpec I found, that if you want to batch upgrade EAPs, you have to open port 27001 and 27002.
Good job Enzo!
Hi, I try to install a TP-Link Controllersoftware (v3.0.2) for 3 EAP110 APs. I used the following commands:
# install jsvc
yum install jsvc
# Download the Software and start the script
wget https://static.tp-link.com/2018/201809/20180907/Omada_Controller_V3.0.2_Linux_x64_targz.tar.gz
tar -zxvf Omada_Controller_V3.0.2_Linux_x64_targz.tar.gz
cd Omada_Controller_V3.0.2_Linux_x64_targz
./install.sh
#
mkdir -p /etc/e-smith/db/configuration/defaults/tpeap
echo "service" > /etc/e-smith/db/configuration/defaults/tpeap/type
echo "enabled" > /etc/e-smith/db/configuration/defaults/tpeap/status
config set tpeap service status enabled
signal-event runlevel-adjust
# open port 8043
config setprop tpeap TCPPort 8043
config setprop tpeap access green
signal-event firewall-adjust
# stop eap controller
tpeap stop
# backup eap keystore
cp /opt/tplink/EAPController/keystore/eap.keystore ~
# create pkcs12 out of crt and key
openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey /etc/pki/tls/private/localhost.key -name eap -out mycert.p12
# import cert to keystore
/root/Omada_Controller_V3.0.2_Linux_x64_targz/jre/bin/keytool -importkeystore -deststorepass tplink -destkeystore /opt/tplink/EAPController/keystore/eap.keystore -srckeystore mycert.p12 -srcstoretype PKCS12
Enter source keystore password:<the-password-you-created-bevor>
Existing entry alias eap exists, overwrite? [no]: yes
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/tplink/EAPController/keystore/eap.keystore -destkeystore /opt/tplink/EAPController/keystore/eap.keystore -deststoretype pkcs12".
# Start the EAP Controller, the new cert should be imported:
tpeap start
I am not sure howto go farther, I guess I should use https://my-neth-ip:8043 to connect to the controller but there is no reation… I just have a green IP on this server, do I need to open the Ports:
UDP 29810
TCP 29811
TCP 29812
and
27001 ( I guess TCP)
27002 ( I guess TCP)
And what commands are used to open the ports ?
Hi, thank you Ralf. I think I will do it agn on a fresh installed server, next week. Thank you…
OK, I had some time to do it agn. If I try to load https://my-server-ip:8043 (firefox), I will get this error:
I don’t know anything about the TP-Link controller, but that error means it’s talking HTTP and you’re trying to connect via HTTPS.
Sorry for late response.
This is not normal. I get the regular warning about SSL-certs:
But I’m using my own certs. Not the original ones created by NS.
I created my own authority and installed it on all machines in the LAN as trusted authority.
I did this, because of the missing SAN (subjectAltName) in NS-SSL-cert.
If you need help to do this, please ping me. But if so, please be a little patient. I’m not good available these days.
I want to say, that I’m not completely through with SSL and cert stuff, but this is the way I do it and this satisfies my needs and works fine for me. If there is a better, faster, easier, saver or what ever way to do this, I’m happy to learn.
I do this in directory /root/ssl
So here we go:
- create rootCA.key (2048 bit)
You will be asked for a paraphrase. Please keep it, you’ll need it again. - create rootCA.crt (10 year valid / 3650 days)
You will be asked severel inputs, but they are self explaining IMO
I use here for the common name, which is the keypoint: authority.domain.tld - create and edit v3.ext file
change “DNS.1 = yourserver.domain.tld” to your needs - create server.key
- create server.crt
important: the commonname must match your “server.domain.tld” - copy server.key to /etc/pki/tls/private
- copy server.crt to /etc/pki/tls/certs
- set this cert as default in GUI
ad 1 openssl genrsa -des3 -out rootCA.key 2048
ad 2 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt
ad 3 content of v3.ext file:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = yourserver.domain.tld
ad 4 openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key
ad 5 openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext
Now you should have these file in your directory:
Now do step 6 to 8.
If you install the rootCA.crt as trusted authority on you client, the server cert should be accepted as trusted:
These certs are accepted by newer browsers which proove the subjectAltName like opera or firefox.
Please keep in mind, that firefox has it’s own cert-memory.
PS: I’m using only Win-clients. Can’t give advice to import certs to linux PCs.
If you have any problems, feel free to ask me.
So long.
PPS: Please forgive me any typos.
EDIT: for a deeper understanding please have a look at: https://jamielinux.com/docs/openssl-certificate-authority/introduction.html.
Nice Job, thank you very much, I appreciate that !
Did this HowTo work for you?
I tried it a few times on a fresh installed virtual NethServer but was not able to… I then had to stop because the lack of time… ATM I run it under Windows7 (shame on me )…
Version 4.x is out, did you install it?
Sorry, no. I’m still on V 3.2.9.
Will give V4 a try next days.
EDIT: Can’t upgrade to V4 because of one EAP 115 V 2 in my network. There no firmware for it for the new SDN-Controller it seems.
Thats bad luck, but not a big problem…
SSL-Cert creation and import on Win10 PC went well but howto use it / import it on Nethserver?