Using letsencrypt outside of HTTP


#1

Hello,

I have an access point with a captive portal and webUI that uses a currently revoked default certificate. Is it possible to use letsencrypt to generate a private and public key that I can install on the access point, using my own details?

The key was a private, generic, aruba networks key that has recently been revoked and its making my captive portal non functional.


How to create a certificate for Aruba controller's web GUI
#2

You can get a certificate for any (IANA/“public”) domain name you own. You could run one of the available ACME clients on a separate device, solve the ownership challenge for that domain (a DNS-based challenge like dns-01 is probably a good option for this - take a look at lego or one of the bash clients) and install the resulting key/certificate on your device. You’ll have to repeat this once every 90 days (that’s how long Let’s Encrypt’s certificates are valid for), probably manually as I’m guessing the access point does not have an API you can use to provision certificates and keys.

This would only work if you’re in control over the hostname at which you access the captive portal. If that’s effectively hard-coded to a domain you do not own, I’m afraid there’s no solution that involves a publicly-trusted CA short of Aruba providing a solution.

Alternatively, if you’re in control over all devices that access your captive portal (I’d guess not, but I’ll mention it just in case), you could generate a root certificate, deploy that certificate across all your devices (import them in your browser trust store manually or use something like ActiveDirectory to push them to clients), and sign a certificate for that domain.


#3

Thanks for the info. The current certificate that comes applied to the
aruba networks APs uses a signed certificate that has been revoked. They
advise, and offer an area in the control panel to add your own certificate,
so there has to be a way to specify the hostname, or to take control of the
hostname. It currently uses securelogin.arubanetworks.com, but I would
assume if you change the hostname in the access point for the captive
portal to match the domain that the key is associated with, that it would
work.

The way the internal system works, I think, is securelogin.arubanetworks.com
is a 127.0.0.1 reroute to the internal IP where the captive portal
interface is located. I haven’t been in the admin area of the ap yet, but I
would assume that you can change the hostname to match the one associated
with the key, and have it do the same thing to get a valid certificate on
the device.


#4

I see - in that case, getting a certificate for a domain name you own and adding that should work.


#5

Hi Ex0r

Internal networking equipment can be a bit tricky

Most networks run two domains an internal domain (e.g. domain.company.local) and an external domain company.com

If you run an internal domain that is the same as your external domain you are in luck. e.g internal.company.com. You can request a certificate for aruba.internal.company.com and use DNS verification to get the certificate issued. You can then install that certificate on Aruba APs aps and update your DNS records.

Lets Encrypt works well for the external domains used in emails and websites but like most CAs don’t do well in internal domains.

There are a couple of options

A) If you are running microsoft and have microsoft AD Certificate Services enabled you can issue your own certificate eg. arubalogon.compay.local and make sure DNS records point to the access point.
B) You can create a self signed certificate and install that. Once again the domain name might be arubalogon.compay.local
C) You can use a Lets Encrypt Certificate. The challenge here is that the internet will not be able to resolve arubalogon.compay.local so you may need to do some magic to make that happen


Certificate for 3Com WiFi Switch, local internal network
#6

ahaw021,

Thanks for the information. I am not completely familiar with the access
point, as I was asked by a friend to come into their organization and fix
their issues as the current IT administrator is being difficult. I do not
have the admin access to the router to find out all of the details, but in
reading through the airheads (aruba networks forums), it looks like its
completely possible to setup your own DNS on the virtual controllers, and
if that’s the case, I would probably set the host of the login to
ap.domain.com or something similar, and point the DNS to the ip address of
the access point (wan ip), as I believe that’s how the system is setup.
From there I would just create a letsencrypt or similar key to ap.domain.com
and use that as the certificate. The problem with a self-signed one, is
browsers like google chrome are getting really strict and starting to
enforce requiring signatures. Currently for them to log in, I have to use
the ‘badidea’ google chrome hack to allow them access to the secure https
page so they can authorize on the network.


SSL Cert for Aerohive?
#7

Hi Ex0r

That will work. If you have DNS records that’s probably the easiest way of doing domain validation.

Andrei


#8

Longer term it would be nice to see either ISRG / Let’s Encrypt find a way to help secure systems like this, or for the consumer electronics industry to get together and create their own CA to do so. The previous Aruba situation (every device they sold had the exact same private key inside it, corresponding to a real Web PKI certificate issued to Aruba) was not tenable because of course bad guys could impersonate any of those Aruba devices. But we can and should make it possible to deliver the same user experience (buy the product, plug it in to the Internet, secure log in pages just work) without the risks, by having each device generate its own private keys and get itself a unique certificate.


#9

I agree… that situation is what recently happened. The arubanetworks devices came with the SAME key by default, and as of 9/8 it was revoked because the private key got compromised. So now, anybody who uses ArubaOS 6.5 no longer has a secure access point. From what i’ve gathered, arubaos 9 forces you to setup your own keys, even if they are self-signed, so the problem isn’t as impactful on those devices I gather.

It would be nice if LetsEncrypt, or similar ,was integrated into those systems, so that when somebody sets up their network, they are able to generate, sign and authorize their keys then and there, and each device would have it’s own key.


#10

As a sort of aside, when you ‘renew’ your key every 90 days, does it
auto-generate a new key for you that you have to install, or does the
old/existing one still work?


#11

It’s possible to re-use the private key - the key is something that you generate (typically through your ACME client), not something that Let’s Encrypt provides, and there’s no rule that says private keys cannot be reused. certbot, the recommended ACME client, rotates the key for each renewal, but that can be changed by providing your own CSR.

That being said, the certificate changes with each renewal, so you’ll have to re-upload at least that bit every 90 days (so rotating the private key at the same time doesn’t really save you that much time in a manual process).


#12

Yeah, being as the owners are not very tech savvy, and I am not on retainer for them to continue working on it, I may not be able to use LetsEncrypt and may have to go to GoDaddy or another CA to get a longer lasting certificate. They were trying to avoid paying $200 a year for a certificate if they could, so I was trying to find a free alternative for them.


#13

That does sound like a better option for now, Domain Validation certificates are typically $10/year nowadays, so that’s probably cheaper than having a sysadmin do this manually four times a year.

Hopefully Aruba will decide to add ACME/Let’s Encrypt support and solve this problem for good.


#14

Okay, where do you recommend going for such a thing? The cheapest one I found on godaddy was 55/yr but it was limited. All it needs to do is be used for the captive portal and thats it, although I suppose if they get the $200 a year one, they could also use it on their entire website, since it also includes subdomains (e.g. whatever.domain.com)


#15

I’ve used namecheap in the past, but any Comodo or RapidSSL reseller will do (just about any medium to large web hosting company), prices are usually around $10/year/domain.


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.