Controllerless Networks

Greetings,

I recently purchased a pair of IAP-215's and wanted to automatically deploy ACME (Let's Encrypt) certificates for the user-interface and captive-portal.

Below, I'm sharing my solution, hopefully it may help others.
------
I quickly learned that Aruba CLI commands can't be issued over a SSH session via stdin remotely, so some interactive scripting tool like 'expect' or 'empty' is needed, I used 'empty'.

I use the shell based ACME client acme.sh.

Requirements:

- Linux system with 'empty' command and SSH client access to Aruba IAP

- TFTP server on same system, reachable by Aruba IAP

- acme.sh client and openssl

Tested with Aruba Instant Version 6.5.4.3

The core of the solution is this script I created:
https://gist.github.com/abelbeck/09078d360b361ceeacf08ccaa136e166

The passed arguments are the same as acme.sh uses for deploy scripts:
Arguments: acme-deploy-custom.script domain key_file cert_file ca_file fullchain_file

BTW, In our open source project, we include a "custom" deploy script for acme.sh:
https://github.com/astlinux-project/astlinux/commit/6804ed975ce35f500f99159e295c3d8944ebf5d7

Or you could include the acme-deploy-custom.script in acme.sh as deploy/aruba-iap.sh or such.

Hope this helps someone.

Lonnie

Thank you for sharing this in the community! It's hard to believe the little to none resources available on the internet for such a great tool like Let's Encrypt. Hopefully more people can come along this post and benefit from this.

Do you think it could be possible to do the same with a Controller? Today I don't have too much time, but this is surely something worth digging in. 

In the next days I'll give it a shot in a 72XX with AOS 8. 

Hopefully my lack of proggraming skills won't be a huge deal. 

Again, thank you.

> Do you think it could be possible to do the same with a Controller?

I'm not familar with the Controller firmware, but there may well be similarities.

For the record, the solution outlined here has been working very nicely, a few Let's Encrypt certificate renews have occured and worked as expected.

Good luck.

You can purchase a 1 year certificate for $4.99

LetsEncrypt is not feasible for network gear in most environments and is not recommended.

@cappalli I used to think that as well ... but the fact that Let's Encrypt certs are automated is a big advantage over manually updating a 1-year certificate.

Though, the automation (currently) requires a seperate Linux environment to manage and update the Let's Encrypt certs.

I support the fact that they give something that is usually not free, for free. It would be nice to have official support for it, I've seen that they list Cisco as one of their supporters, so there's nothing stopping HP to do the same. 

When more collegues come over I will dig in the matter and report back, hopefully this does not infringe any rule over here. 

Nevertheless, thank you @cappalli for the heads up, of course for a professional design $5 per year is meaningless. I will be trying this out only in a test enviroment.

I can't speak for HP, only Aruba, but we do not have any direct plans to add support for LetsEncrypt. There are much better solutions that are being evaluated that are designed for enterprise usage.

Also just a point of clarity. Cisco supports the project but does not have native support in their network and security products.

A Followup after upgrading to 8.3.0.5 ...

Note the suggested syntax 'copy tftp' verbs ui,cp have changed to uiserver,cpserver respectively, but ui,cp are still supported.

There is a bug in 8.3.0.5 where the uploaded certificate check uses the current timezone date/time to test against the GMT time of the newly minted certificate.  Those of us with a negative timezone offset are effected.

Example Failure:

a8:bd:27:ff:ff:ff# copy tftp 10.10.50.64 aruba-iap.pem uiserver cert pass format pem

Validate certificate date failed
Cert file check fail

The only solution to do this automatically is to set the IAP with no timezone offset.

clock timezone none 00 00

This works around the issue with 8.3.0.5

Hi, we are trying to use let's encrypt certificates so we need to script the replacement of these certs. We wanted to try abelbeck's script but it looks like the github link is dead. Would anyone have a copy of this script or another one that can send commands to the VC ?

Thank's !

> We wanted to try abelbeck's script but it looks like the github link is dead.

The github link works for me.

This solution is still working for me in production, but keep in mind that the script will not be plug-n-play for most, but hopefully a good start.

Yes, it looks like the links were down for a few days. I did my own script, which is easy to use (with the expect method that you suggest) :

#######################################

#!/usr/bin/expect
set password passwordforssh
set login admin
set ip ipofcluster

    spawn ssh -l $login $ip
    expect "ord\\: "
    send "$password\r"
    set handle [ open commandfile.txt r ]
    while { ! [eof $handle] } {
        gets $handle buf
        expect "\\$"
        send "$buf\r"
        }

    exit

################################

You just have to create a file named commandfile.txt and put every commands that you want to send to the AP on this file.

In this case :

copy tftp ipofTFTPsrv nameoftheserv cpserver cert password

Hope this helps someone

And thank's Abelbeck !

Thanks abelbeck, this is awesome.

I had a free hour or so, so I implemented this in Tcl: https://gist.github.com/jwm/63f3de53ca011def3a7c4b90925446b9

I wanted to avoid installing empty. Building it isn't a big deal, but it's not packaged for Debian, and it was a fun exercise. Thanks again!