Kitz Forum

Computers & Hardware => Networking => Topic started by: Weaver on November 02, 2018, 04:07:48 AM

Title: TLS / https setup on WAP
Post by: Weaver on November 02, 2018, 04:07:48 AM
My web browser is now nagging me about TLS / https: when I want to administer my ZyXEL WAPs over http(s). It moans when I use different domain names, or when I use literal IPv4 addresses.

My ZyXEL NWA-3560-N WAPs have alternative dns names set up: wap-01, wap01 and longwinded alternatives wap-01.mydomain.example.com for the first WAP, then wap-02 etc. The short forms, for convenience, are set up within my Firebrick router, which is the local on-LAN DNS server, and so these short names are only recognised when queried inside the LAN and queries are answered by the Firebrick. The longwinded name is defined in the real DNS by my main DNS servers and is visible on the internet.

There is a mountain of stuff in the WAP NWA-3560-N documentation which I don’t understand about certificates and I presume I would have to get stuck into this somehow in order to make https on the WAP work properly and make the browsers happy. I have no idea what I am doing with all of it.

Has anyone here ever done this successfully?

I have no idea how to fill in the stuff in the WAP UI relating to certificates, nor how to get a certificate. There is some mention of facilities provided by the WAP itself, if I am understanding the docs correctly, that will fetch a cert from the internet, and maybe this will get some server to generate an appropriate cert for you. There are also facilities to import a certain in a file into the WAP, but you have to have obtained  that yourself somehow.

Another question: Is it possible to have TLS / https set up so that more than one domain name will be recognised as ok if a browser presents one of various alternative forms?

If anyone is very bored, the ZyXEL NWA 3560-N docs are at: ftp://ftp.zyxel.com/NWA3560-N/user_guide/NWA3560-N_.pdf

I read this
    https://www.globalsign.com/en/blog/certificates-for-internal-servers/
which says that I can’t now get a general browser-trusted real cert for a short name that is not a publicly recognised FQDN. I can see the reasoning. It is a bit of a nuisance though, especially if the IP address is not an RFC1918 one, a link-local one or some other kind of non-unique address.

The docs say that the WAPs can generate self-signed certs. I don’t know if a browser could just be made to shut up and no longer moan in future, having been told that one if these is always ok.
Title: Re: TLS / https setup on WAP
Post by: burakkucat on November 02, 2018, 05:56:48 PM
I won't be able to assist you in achieving your objective but will mention that my ZyXEL VMG1312-B10A has port 80 disabled, thus a GUI connection can only be made via port 443. I had to add an exception for the device within Firefox as the VMG1312-B10A only offered a self-signed certificate.
Title: Re: TLS / https setup on WAP
Post by: Weaver on November 02, 2018, 08:37:38 PM
I was playing around with openssl on the raspberry pi, but got completely lost. I am wondering if I just set up Safari once so that it would recognise a range of devices as all being ok, without having to individually tell it over and over again that each one of my devices is actually not evil.