Controllerless Networks

Reply
New Contributor

Deploy ACME certificates to HP Aruba IAP

Greetings,

I recently purchased a pair of IAP-215's and wanted to automatically deploy ACME (Let's Encrypt) certificates for the user-interface and captive-portal.

Below, I'm sharing my solution, hopefully it may help others.
------
I quickly learned that Aruba CLI commands can't be issued over a SSH session via stdin remotely, so some interactive scripting tool like 'expect' or 'empty' is needed, I used 'empty'.

I use the shell based ACME client acme.sh.

Requirements:

- Linux system with 'empty' command and SSH client access to Aruba IAP

- TFTP server on same system, reachable by Aruba IAP

- acme.sh client and openssl

Tested with Aruba Instant Version 6.5.4.3

The core of the solution is this script I created:
https://gist.github.com/abelbeck/09078d360b361ceeacf08ccaa136e166

The passed arguments are the same as acme.sh uses for deploy scripts:
Arguments: acme-deploy-custom.script domain key_file cert_file ca_file fullchain_file

BTW, In our open source project, we include a "custom" deploy script for acme.sh:
https://github.com/astlinux-project/astlinux/commit/6804ed975ce35f500f99159e295c3d8944ebf5d7

Or you could include the acme-deploy-custom.script in acme.sh as deploy/aruba-iap.sh or such.

Hope this helps someone.

Lonnie

Occasional Contributor I

Re: Deploy ACME certificates to HP Aruba IAP

Thank you for sharing this in the community! It's hard to believe the little to none resources available on the internet for such a great tool like Let's Encrypt. Hopefully more people can come along this post and benefit from this.

Do you think it could be possible to do the same with a Controller? Today I don't have too much time, but this is surely something worth digging in. 

In the next days I'll give it a shot in a 72XX with AOS 8. 

Hopefully my lack of proggraming skills won't be a huge deal. 

Again, thank you.

New Contributor

Re: Deploy ACME certificates to HP Aruba IAP

Do you think it could be possible to do the same with a Controller?

 

I'm not familar with the Controller firmware, but there may well be similarities.

 

For the record, the solution outlined here has been working very nicely, a few Let's Encrypt certificate renews have occured and worked as expected.

 

Good luck.

 

 

 

Guru Elite

Re: Deploy ACME certificates to HP Aruba IAP

You can purchase a 1 year certificate for $4.99

 

LetsEncrypt is not feasible for network gear in most environments and is not recommended.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Deploy ACME certificates to HP Aruba IAP

@

 

 

Occasional Contributor I

Re: Deploy ACME certificates to HP Aruba IAP

I support the fact that they give something that is usually not free, for free. It would be nice to have official support for it, I've seen that they list Cisco as one of their supporters, so there's nothing stopping HP to do the same. 

When more collegues come over I will dig in the matter and report back, hopefully this does not infringe any rule over here. 

Nevertheless, thank you @cappalli for the heads up, of course for a professional design $5 per year is meaningless. I will be trying this out only in a test enviroment.

Guru Elite

Re: Deploy ACME certificates to HP Aruba IAP

I can't speak for HP, only Aruba, but we do not have any direct plans to add support for LetsEncrypt. There are much better solutions that are being evaluated that are designed for enterprise usage.

 

Also just a point of clarity. Cisco supports the project but does not have native support in their network and security products.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: