I have an access point with a captive portal and webUI that uses a currently revoked default certificate. Is it possible to use letsencrypt to generate a private and public key that I can install on the access point, using my own details?
The key was a private, generic, aruba networks key that has recently been revoked and its making my captive portal non functional.
You can get a certificate for any (IANA/āpublicā) domain name you own. You could run one of the available ACME clients on a separate device, solve the ownership challenge for that domain (a DNS-based challenge like dns-01 is probably a good option for this - take a look at lego or one of the bash clients) and install the resulting key/certificate on your device. Youāll have to repeat this once every 90 days (thatās how long Letās Encryptās certificates are valid for), probably manually as Iām guessing the access point does not have an API you can use to provision certificates and keys.
This would only work if youāre in control over the hostname at which you access the captive portal. If thatās effectively hard-coded to a domain you do not own, Iām afraid thereās no solution that involves a publicly-trusted CA short of Aruba providing a solution.
Alternatively, if youāre in control over all devices that access your captive portal (Iād guess not, but Iāll mention it just in case), you could generate a root certificate, deploy that certificate across all your devices (import them in your browser trust store manually or use something like ActiveDirectory to push them to clients), and sign a certificate for that domain.
Thanks for the info. The current certificate that comes applied to the
aruba networks APs uses a signed certificate that has been revoked. They
advise, and offer an area in the control panel to add your own certificate,
so there has to be a way to specify the hostname, or to take control of the
hostname. It currently uses securelogin.arubanetworks.com, but I would
assume if you change the hostname in the access point for the captive
portal to match the domain that the key is associated with, that it would
work.
The way the internal system works, I think, is securelogin.arubanetworks.com
is a 127.0.0.1 reroute to the internal IP where the captive portal
interface is located. I havenāt been in the admin area of the ap yet, but I
would assume that you can change the hostname to match the one associated
with the key, and have it do the same thing to get a valid certificate on
the device.
Most networks run two domains an internal domain (e.g. domain.company.local) and an external domain company.com
If you run an internal domain that is the same as your external domain you are in luck. e.g internal.company.com. You can request a certificate for aruba.internal.company.com and use DNS verification to get the certificate issued. You can then install that certificate on Aruba APs aps and update your DNS records.
Lets Encrypt works well for the external domains used in emails and websites but like most CAs donāt do well in internal domains.
There are a couple of options
A) If you are running microsoft and have microsoft AD Certificate Services enabled you can issue your own certificate eg. arubalogon.compay.local and make sure DNS records point to the access point.
B) You can create a self signed certificate and install that. Once again the domain name might be arubalogon.compay.local
C) You can use a Lets Encrypt Certificate. The challenge here is that the internet will not be able to resolve arubalogon.compay.local so you may need to do some magic to make that happen
Thanks for the information. I am not completely familiar with the access
point, as I was asked by a friend to come into their organization and fix
their issues as the current IT administrator is being difficult. I do not
have the admin access to the router to find out all of the details, but in
reading through the airheads (aruba networks forums), it looks like its
completely possible to setup your own DNS on the virtual controllers, and
if thatās the case, I would probably set the host of the login to ap.domain.com or something similar, and point the DNS to the ip address of
the access point (wan ip), as I believe thatās how the system is setup.
From there I would just create a letsencrypt or similar key to ap.domain.com
and use that as the certificate. The problem with a self-signed one, is
browsers like google chrome are getting really strict and starting to
enforce requiring signatures. Currently for them to log in, I have to use
the ābadideaā google chrome hack to allow them access to the secure https
page so they can authorize on the network.
Longer term it would be nice to see either ISRG / Letās Encrypt find a way to help secure systems like this, or for the consumer electronics industry to get together and create their own CA to do so. The previous Aruba situation (every device they sold had the exact same private key inside it, corresponding to a real Web PKI certificate issued to Aruba) was not tenable because of course bad guys could impersonate any of those Aruba devices. But we can and should make it possible to deliver the same user experience (buy the product, plug it in to the Internet, secure log in pages just work) without the risks, by having each device generate its own private keys and get itself a unique certificate.
I agreeā¦ that situation is what recently happened. The arubanetworks devices came with the SAME key by default, and as of 9/8 it was revoked because the private key got compromised. So now, anybody who uses ArubaOS 6.5 no longer has a secure access point. From what iāve gathered, arubaos 9 forces you to setup your own keys, even if they are self-signed, so the problem isnāt as impactful on those devices I gather.
It would be nice if LetsEncrypt, or similar ,was integrated into those systems, so that when somebody sets up their network, they are able to generate, sign and authorize their keys then and there, and each device would have itās own key.
As a sort of aside, when you ārenewā your key every 90 days, does it
auto-generate a new key for you that you have to install, or does the
old/existing one still work?
Itās possible to re-use the private key - the key is something that you generate (typically through your ACME client), not something that Letās Encrypt provides, and thereās no rule that says private keys cannot be reused. certbot, the recommended ACME client, rotates the key for each renewal, but that can be changed by providing your own CSR.
That being said, the certificate changes with each renewal, so youāll have to re-upload at least that bit every 90 days (so rotating the private key at the same time doesnāt really save you that much time in a manual process).
Yeah, being as the owners are not very tech savvy, and I am not on retainer for them to continue working on it, I may not be able to use LetsEncrypt and may have to go to GoDaddy or another CA to get a longer lasting certificate. They were trying to avoid paying $200 a year for a certificate if they could, so I was trying to find a free alternative for them.
That does sound like a better option for now, Domain Validation certificates are typically $10/year nowadays, so thatās probably cheaper than having a sysadmin do this manually four times a year.
Hopefully Aruba will decide to add ACME/Letās Encrypt support and solve this problem for good.
Okay, where do you recommend going for such a thing? The cheapest one I found on godaddy was 55/yr but it was limited. All it needs to do is be used for the captive portal and thats it, although I suppose if they get the $200 a year one, they could also use it on their entire website, since it also includes subdomains (e.g. whatever.domain.com)
Iāve used namecheap in the past, but any Comodo or RapidSSL reseller will do (just about any medium to large web hosting company), prices are usually around $10/year/domain.