I couldn’t make it work with reverse proxy so only way I see is to open port 8043 (changeable in /opt/tplink/EAPController/properties/jetty.properties) and import the Nethserver/Letsencrypt cert.
# open port 8043
config setprop tpeap TCPPort 8043
config setprop tpeap access green
signal-event firewall-adjust
# stop eap controller
tpeap stop
# backup eap keystore
cp /opt/tplink/EAPController/keystore/eap.keystore ~
# create pkcs12 out of crt and key
openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey /etc/pki/tls/private/localhost.key -name eap -out mycert.p12
# import cert to keystore
keytool -importkeystore -deststorepass tplink -destkeystore /opt/tplink/EAPController/keystore/eap.keystore -srckeystore mycert.p12 -srcstoretype PKCS12
Enter tplink as password and confirm overwrite with yes:
Enter source keystore password: tplink
Existing entry alias eap exists, overwrite? [no]: yes`
Start the EAP Controller, the new cert should be imported:
tpeap start
Source:
http://forum.tp-link.com/showthread.php?96192-Hacking-a-valid-cert-into-the-EAP-controller-software