How To Install LetsEncrypt SSL Certificates On Omada Controller

In this tutorial you will learn how to install LetsEncrypt SSL certificates for your Omada Controller hosted on Ubuntu 20.04.

Introduction

Omada Controller, TP-Link’s management interface for EAP devices, naturally becomes a crucial platform that benefits significantly from enhanced security measures.

In this tutorial, we will guide you through a detailed, step-by-step process of integrating Let’s Encrypt SSL certificates into your Omada Controller setup. Whether you’re a seasoned network administrator or a newbie just dipping your toes into network security, this guide is tailored to provide clarity and simplicity.

Let’s embark on this journey together, ensuring a safer and more secure Omada Controller experience for you!

Step 1: Generate Certificate

  1. First, install and refresh the core for snap:
snap install core; sudo snap refresh core
  1. Next, install certbot:
snap install --classic certbot
  1. Create a symbolic link for certbot:
ln -s /snap/bin/certbot /usr/bin/certbot
  1. Generate the certificate:
certbot certonly --standalone --preferred-challenges http -d youromadadomainhere.com

Step 2: Renew SSL Certificate Manually

(Note: No need to renew for the first time)

  1. If renewing, use:
certbot renew
  1. Stop the Omada service:
systemctl stop omada.service
  1. Remove the existing certificate and keystore:
rm /opt/tplink/EAPController/keystore/eap.cer
rm /opt/tplink/EAPController/keystore/eap.keystore
  1. Copy the new certificate:
cp /etc/letsencrypt/live/youromadadomainhere.com/cert.pem /opt/tplink/EAPController/keystore/eap.cer
  1. Use OpenSSL to export the private key, certificate, and CA chain:
openssl pkcs12 -export -inkey /etc/letsencrypt/live/youromadadomainhere.com/privkey.pem \
-in /etc/letsencrypt/live/youromadadomainhere.com/cert.pem \
-certfile /etc/letsencrypt/live/youromadadomainhere.com/chain.pem \
-name eap -out patrick.p12 -password pass:tplink
  1. Finally, use the Java keytool to import the PKCS#12 format key and certificates into the Java keystore:
   keytool -importkeystore -deststorepass tplink \
   -destkeystore /opt/tplink/EAPController/keystore/eap.keystore \
   -srckeystore patrick.p12 -srcstoretype PKCS12 -srcstorepass tplink

Please remember to replace youromadadomainhere.com with your actual domain. Always backup any files or configurations before making changes, and verify after each step to ensure smooth operations.


Step 3: Start Service.

systemctl start omada.service

Step 4: Automate SSL Certificate Renewal With Cron Job

To create a cron job that will renew your SSL certificate and follow your given steps every month, you can edit the crontab for the root user.

First, open the crontab:

sudo crontab -e

This will open the crontab file in the default editor (typically nano or vi, depending on the system setup). Once opened, you can add your cron job.

For the purpose of clarity, I’ll break down the process into smaller steps:

1: Choose a time for the renewal. For instance, if you want it to run at 3am on the first day of every month, your cron time syntax will be 0 3 1 * *.

2: Add each of your commands. Note that it’s important to specify full paths to executables in cron jobs because the cron environment is more limited than your regular shell.

Here’s what your cron job might look like:

0 3 1 * * /usr/bin/certbot renew --quiet && systemctl stop omada.service && rm /opt/tplink/EAPController/keystore/eap.cer && rm /opt/tplink/EAPController/keystore/eap.keystore && cp /etc/letsencrypt/live/youromadadomainhere.com/cert.pem /opt/tplink/EAPController/keystore/eap.cer && openssl pkcs12 -export -inkey /etc/letsencrypt/live/youromadadomainhere.com/privkey.pem -in /etc/letsencrypt/live/youromadadomainhere.com/cert.pem -certfile /etc/letsencrypt/live/youromadadomainhere.com/chain.pem -name eap -out patrick.p12 -password pass:tplink && keytool -importkeystore -deststorepass tplink -destkeystore /opt/tplink/EAPController/keystore/eap.keystore -srckeystore patrick.p12 -srcstoretype PKCS12 -srcstorepass tplink

3: Save and exit the editor (if using nano, you’d press CTRL + X to exit, press Y to confirm changes, and then Enter).

Now, your cron job is set and will run at the specified time. Make sure to test the cron job to ensure everything works as expected. To ensure that there aren’t any errors in the job and that it works as intended, you might want to run the script manually the first time.

Also, always replace youromadadomainhere.com with your actual domain.

I hope this article was helpful, if you have any questions, please feel free to contact me. If you would like to be notified of when I create a new post, you can subscribe to my blog alert.


Discover more from Patrick Domingues

Subscribe to get the latest posts sent to your email.

author avatar
Patrick Domingues

8 Comments

  1. Great simple writeup. Thank you, worked a treat.

    Note on Ubuntu 20.

    Keystore folder is
    /opt/tplink/EAPController/data/keystore/

    Also, the systemctl didn’t start stop Omada so i used:
    – tpeap stop
    – tpeap start

  2. Can you update this?
    For me it is not working from step 2.

    Im running it on Ubuntu 20.04 with the newest version of the Omada Controller.

      1. Thanks Patrick!
        For anyone else who find this, I recommend adding the start command to the cron: ” && systemctl start omada.service”
        And I had to add edit my keystore paths to include /data as another commenter found.
        Worked perfectly aside from that!

  3. Amended Step 4’s cron job.
    This is what works for me.

    /usr/bin/certbot renew –quiet && systemctl stop omada.service && rm /opt/tplink/EAPController/data/keystore/eap.cer && rm /opt/tplink/EAPController/data/keystore/eap.keystore && cp /etc/letsencrypt/live/Yourdomainname.com/cert.pem /opt/tplink/EAPController/data/keystore/eap.cer && openssl pkcs12 -export -inkey /etc/letsencrypt/live/Yourdomainname.com/privkey.pem -in /etc/letsencrypt/live/Yourdomainname.com/cert.pem -certfile /etc/letsencrypt/live/Yourdomainname.com/chain.pem -name eap -out patrick.p12 -password pass:tplink && keytool -importkeystore -deststorepass tplink -destkeystore /opt/tplink/EAPController/data/keystore/eap.keystore -srckeystore patrick.p12 -srcstoretype PKCS12 -srcstorepass tplink && systemctl start omada.service

  4. Absolutely works like a charm, great post. For anyone working on renewal stuff, using the certbot renewal_hook in the <>.conf file works really well, that way it only runs if the renewal works.

Leave a Comment

Stay Informed

Receive instant notifications when new content is released.