Certificate installation and renewal

[RanchoHam]

As a long time C/C++ programmer I know just enough about Python to be extremely dangerous. In-spite of that handicap, I have gotten the sample_client.py working to list all of my site devices, but I don't see any clues as to how to install or renew a TLS Certificate.

Has that part of the API been coded yet?

[MarkGodwin]

No, sorry, updating the certificate via the API wrapper isn't a feature we have yet.

It's probably not extremely hard to add - however, at the moment I can't renew certs even through the web interface because it doesn't seem to support the certificates I get out of Let's Encrypt any more. I haven't investigated why yet.

I also only know just enough about Python to be extremely dangerous... If you want to have a go at adding the feature, please do! The Omada API documentation is incomplete, so you might have to observe what the web interface does and duplicate that.

I can see value in adding this support, so I will probably get round to doing it eventually.

[RanchoHam]

I am using a private SmallStep CA on a RPi4 to generate my certs. I have noticed that even though the web interface claims to allow the PEM format for both the cert and the key, I must convert my PEM certs to PFX format using openSSL, which then uploads just fine to my OC200.

[MarkGodwin]

Thanks. I tried pfx and it worked for me. The API for PFX upload seems pretty trivial. I will try to add support for it...

[MarkGodwin]

This feature has been added in 1.3.13. Please give it a try.

Note, I only had the patience to add .pfx support, given that I couldn't get .der format to work anyway. It wouldn't be hard to add other certificate formats if they could be shown to work. I'll leave that as an exercise for the reader...

[MarkGodwin]

sample_client.py is a very basic early test harness. Using the omada cli that is included in the package should get you somewhere a lot faster.

[RanchoHam]

Hey Mark,

OK, I have finally got a complete automatic cert renewal working for my OC200! Whooo-Hooo!

Cron executes a script at midnight and 6 am; thus make sure that the cert never expires before renewal. This script renews the certificate from my Smallstep private CA, converts it to .pfx, calls the cli to upload the renewed certificate, and finally calls the cli to reboot the machine.

Right now it has my machine names hard-coded in the script, but I am working on parameterizing the script and adding some documentation. I hope to post it here for possible inclusion in the repo.

Cheers, Rich