The problem was that I had to do write_memory twice. Once after the certificate was uploaded, and again in the end after changing the certificate:
Original Message:
Sent: Dec 22, 2023 01:50 PM
From: jonlar
Subject: Upload certificate to Mobility Conductor / Controllers
Never mind, it doesn't seem to matter where you change it. It replaces it in both places. I just remember I had some trouble changing the cert from the profile section a while back.
But I get this error when I try to deploy: "Certificate either expired or not found in path /mm".
I can see the certificates under "certificates" on each mobility controller on the mobility master, so not sure what the issue is.
Original Message:
Sent: Dec 22, 2023 11:27 AM
From: jonlar
Subject: Upload certificate to Mobility Conductor / Controllers
I think you need to change the web UI cert via Admin -> Admin Authentication Options -> Server certificate
This will update it in the profile as well.
Log from the web UI if I change it through Admin Authentication Options manually:
Controller mobility-ctrl01 in Managed Network > XXXXX > XXXXXX
System > Admin > Admin Authentication Options:
Server certificate = mobility-ctrl01-2023-64.pfx
Authentication = Disabled
System > Profiles > Other Profiles > Web Server Configuration:
Switch Certificate = mobility-ctrl01-2023-64.pfx
Additional changes from CLI
However, I have a hard time navigating through the API to find the correct place to set this.
Original Message:
Sent: Dec 22, 2023 09:23 AM
From: Herman Robers
Subject: Upload certificate to Mobility Conductor / Controllers
Ah, I didn't realize, but that is what I did in my lab.
In order to apply the certification you would need the /v1/configuration/object/httpd_wrap_prof
{ "cp_cert": { "captive-portal-cert": certname }} does the captive portal certificate.
I haven't tested, but the Web UI cert should be { "switch_cert": { "switch-cert": certname }} ; but check the httpd_wrap_prof object for confirmation.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 22, 2023 07:25 AM
From: jonlar
Subject: Upload certificate to Mobility Conductor / Controllers
I've made some changes to the solution. Here everything is done towards the Mobility Master. You need to specify the path for each controller. The path can be found by typing "cd ?" when logged into the Mobility Master with SSH.
{{url_mm}}/v1/configuration/object/copy_tftp_flash?config_path=%2Fmd%2FMyCompany%2FMyLocation%2F00:00:00:00:00:00
{{url_mm}}/v1/configuration/object/crypto_pki_import_cert?config_path=%2Fmd%2FMyCompany%2FMyLocation%2F00:00:00:00:00:00
{{url_mm}}/v1/configuration/object/crypto_local_pki_cert?config_path=%2Fmd%2FMyCompany%2FMyLocation%2F00:00:00:00:00:00
{{url_mm}}/v1/configuration/object/write_memory?config_path=%2Fmd%2FMyCompany%2FMyLocation%2F00:00:00:00:00:00
(config_path might not be needed on that last one)
However, there is one last step that I'm missing, and that is to configure the Web Server with the new certificate that has been uploaded. I can't find any API endpoints that configure the Web Server.
If I try to upload a certificate with the same name as before I get an error that says that it already exists a certificate with that name (It's the second API request above that gives the error).
Original Message:
Sent: Dec 14, 2023 06:51 AM
From: jonlar
Subject: Upload certificate to Mobility Conductor / Controllers
Big thanks to my colleague olehaa who figured this out and posting the solution :)
Original Message:
Sent: Dec 13, 2023 11:53 AM
From: Herman Robers
Subject: Upload certificate to Mobility Conductor / Controllers
Awesome info, works like a charm... using ftp instead of scp to avoid putting scp credentials in the script, but with these steps it works nicely!
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 11, 2023 02:20 AM
From: olehaa
Subject: Upload certificate to Mobility Conductor / Controllers
First you will have to upload the certificate to the controllers flash using {{url_md}}/v1/configuration/object/copy_scp_flash
Second you will have to install the certificate on the controller using {{url_md}}/v1/configuration/object/crypto_pki_import_cer
With this body:
{
"format": "pkcs12",
"cert": "ServerCert",
"name": "<display_name_of_certificate>",
"filename": "newcert.pfx",
"passphrase": "************"
}
Results
},
"_global_result": {
"status": 0,
"status_str": "Success",
"_pending": false
}
Last, if the controller is managed by a Conductor, you will have set the new certificate with the following API call to the Conductor
{{url_mm}}/v1/configuration/object/crypto_local_pki_cert
Body:
{
"cert_type": "ServerCert",
"name": "ctrl-01",
"filename": "domain.pfx"
}
Results:
},
"_global_result": {
"status": 0,
"status_str": "Success",
"_pending": false
}
In short, you cannot upload and set the new certificate in all-in-one command crypto_local_pki_cert
You will have to 1. upload with scp/ftp/tftp, 2. install certificate on controller, and 3. configure the Conductor (which in turns configure the controller to use the new certificate.
Remember to commit pending changes
{{url_mm}}/v1/configuration/object/write_memory
Body:
{
"action": "commit"
}
Original Message:
Sent: Nov 17, 2023 10:34 AM
From: jonlar
Subject: Upload certificate to Mobility Conductor / Controllers
I'm using the REST API for Mobility Master, trying to automate cert-renewal.
I am able to get a list of existing certificates, but when I try to use post, it doesn't work.
I'm using this API request:
https://mobilitymaster:4343/v1/configuration/object/crypto_local_pki_cert?config_path=%2Fmd%2FLocation%2F00:00:00:00:00:00
body = {'cert_type':"ServerCert","name":"testcert","filename":"certificate.pfx"}
However, the certificate itself is not attached to this request, and I don't know how to add it.