Using letsencrypt outside of HTTP

Hello,

I have an access point with a captive portal and webUI that uses a currently revoked default certificate. Is it possible to use letsencrypt to generate a private and public key that I can install on the access point, using my own details?

The key was a private, generic, aruba networks key that has recently been revoked and its making my captive portal non functional.

You can get a certificate for any (IANA/ā€œpublicā€) domain name you own. You could run one of the available ACME clients on a separate device, solve the ownership challenge for that domain (a DNS-based challenge like dns-01 is probably a good option for this - take a look at lego or one of the bash clients) and install the resulting key/certificate on your device. Youā€™ll have to repeat this once every 90 days (thatā€™s how long Letā€™s Encryptā€™s certificates are valid for), probably manually as Iā€™m guessing the access point does not have an API you can use to provision certificates and keys.

This would only work if youā€™re in control over the hostname at which you access the captive portal. If thatā€™s effectively hard-coded to a domain you do not own, Iā€™m afraid thereā€™s no solution that involves a publicly-trusted CA short of Aruba providing a solution.

Alternatively, if youā€™re in control over all devices that access your captive portal (Iā€™d guess not, but Iā€™ll mention it just in case), you could generate a root certificate, deploy that certificate across all your devices (import them in your browser trust store manually or use something like ActiveDirectory to push them to clients), and sign a certificate for that domain.

Thanks for the info. The current certificate that comes applied to the
aruba networks APs uses a signed certificate that has been revoked. They
advise, and offer an area in the control panel to add your own certificate,
so there has to be a way to specify the hostname, or to take control of the
hostname. It currently uses securelogin.arubanetworks.com, but I would
assume if you change the hostname in the access point for the captive
portal to match the domain that the key is associated with, that it would
work.

The way the internal system works, I think, is securelogin.arubanetworks.com
is a 127.0.0.1 reroute to the internal IP where the captive portal
interface is located. I havenā€™t been in the admin area of the ap yet, but I
would assume that you can change the hostname to match the one associated
with the key, and have it do the same thing to get a valid certificate on
the device.

I see - in that case, getting a certificate for a domain name you own and adding that should work.

Hi Ex0r

Internal networking equipment can be a bit tricky

Most networks run two domains an internal domain (e.g. domain.company.local) and an external domain company.com

If you run an internal domain that is the same as your external domain you are in luck. e.g internal.company.com. You can request a certificate for aruba.internal.company.com and use DNS verification to get the certificate issued. You can then install that certificate on Aruba APs aps and update your DNS records.

Lets Encrypt works well for the external domains used in emails and websites but like most CAs donā€™t do well in internal domains.

There are a couple of options

A) If you are running microsoft and have microsoft AD Certificate Services enabled you can issue your own certificate eg. arubalogon.compay.local and make sure DNS records point to the access point.
B) You can create a self signed certificate and install that. Once again the domain name might be arubalogon.compay.local
C) You can use a Lets Encrypt Certificate. The challenge here is that the internet will not be able to resolve arubalogon.compay.local so you may need to do some magic to make that happen

ahaw021,

Thanks for the information. I am not completely familiar with the access
point, as I was asked by a friend to come into their organization and fix
their issues as the current IT administrator is being difficult. I do not
have the admin access to the router to find out all of the details, but in
reading through the airheads (aruba networks forums), it looks like its
completely possible to setup your own DNS on the virtual controllers, and
if thatā€™s the case, I would probably set the host of the login to
ap.domain.com or something similar, and point the DNS to the ip address of
the access point (wan ip), as I believe thatā€™s how the system is setup.
From there I would just create a letsencrypt or similar key to ap.domain.com
and use that as the certificate. The problem with a self-signed one, is
browsers like google chrome are getting really strict and starting to
enforce requiring signatures. Currently for them to log in, I have to use
the ā€˜badideaā€™ google chrome hack to allow them access to the secure https
page so they can authorize on the network.

Hi Ex0r

That will work. If you have DNS records thatā€™s probably the easiest way of doing domain validation.

Andrei

Longer term it would be nice to see either ISRG / Letā€™s Encrypt find a way to help secure systems like this, or for the consumer electronics industry to get together and create their own CA to do so. The previous Aruba situation (every device they sold had the exact same private key inside it, corresponding to a real Web PKI certificate issued to Aruba) was not tenable because of course bad guys could impersonate any of those Aruba devices. But we can and should make it possible to deliver the same user experience (buy the product, plug it in to the Internet, secure log in pages just work) without the risks, by having each device generate its own private keys and get itself a unique certificate.

I agreeā€¦ that situation is what recently happened. The arubanetworks devices came with the SAME key by default, and as of 9/8 it was revoked because the private key got compromised. So now, anybody who uses ArubaOS 6.5 no longer has a secure access point. From what iā€™ve gathered, arubaos 9 forces you to setup your own keys, even if they are self-signed, so the problem isnā€™t as impactful on those devices I gather.

It would be nice if LetsEncrypt, or similar ,was integrated into those systems, so that when somebody sets up their network, they are able to generate, sign and authorize their keys then and there, and each device would have itā€™s own key.

As a sort of aside, when you ā€˜renewā€™ your key every 90 days, does it
auto-generate a new key for you that you have to install, or does the
old/existing one still work?

Itā€™s possible to re-use the private key - the key is something that you generate (typically through your ACME client), not something that Letā€™s Encrypt provides, and thereā€™s no rule that says private keys cannot be reused. certbot, the recommended ACME client, rotates the key for each renewal, but that can be changed by providing your own CSR.

That being said, the certificate changes with each renewal, so youā€™ll have to re-upload at least that bit every 90 days (so rotating the private key at the same time doesnā€™t really save you that much time in a manual process).

Yeah, being as the owners are not very tech savvy, and I am not on retainer for them to continue working on it, I may not be able to use LetsEncrypt and may have to go to GoDaddy or another CA to get a longer lasting certificate. They were trying to avoid paying $200 a year for a certificate if they could, so I was trying to find a free alternative for them.

That does sound like a better option for now, Domain Validation certificates are typically $10/year nowadays, so thatā€™s probably cheaper than having a sysadmin do this manually four times a year.

Hopefully Aruba will decide to add ACME/Letā€™s Encrypt support and solve this problem for good.

1 Like

Okay, where do you recommend going for such a thing? The cheapest one I found on godaddy was 55/yr but it was limited. All it needs to do is be used for the captive portal and thats it, although I suppose if they get the $200 a year one, they could also use it on their entire website, since it also includes subdomains (e.g. whatever.domain.com)

Iā€™ve used namecheap in the past, but any Comodo or RapidSSL reseller will do (just about any medium to large web hosting company), prices are usually around $10/year/domain.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.