Instant On - Wired

 View Only

  • 1.  Connect via ssh to Aruba 1960

    Posted 07-16-2024 01:14 PM

    Hello,
    Please clarify, is it possible to connect via ssh to Aruba Instant On 1960 12XGT 4SFP to update the ssl certificate?

    Thanks in advance.



    ------------------------------
    Arthur Butko
    ------------------------------


  • 2.  RE: Connect via ssh to Aruba 1960

    Posted 07-17-2024 06:51 PM

    Hi,

    Sadly ssh is not supported on "instant on" switches :(



    ------------------------------
    Travis Thorne
    ------------------------------

    Original Message


  • 3.  RE: Connect via ssh to Aruba 1960

    Posted 07-19-2024 05:32 AM

    Hi @travatine
    Thanks for the reply.

    Then how do I import the ssl certificate?
    I have the .crt and priv .key but it doesn't have pub .key is not loaded via the web interface.



    ------------------------------
    Arthur Butko
    ------------------------------

    Original Message


  • 4.  RE: Connect via ssh to Aruba 1960

    Posted 07-19-2024 09:37 AM
    Edited by travatine 07-19-2024 12:43 PM

    Hi,

    I use the following steps to manually import "Lets Encrypt SSL Certificates" with my two Aruba 1830  Switches.

    • Purchase a domain name
    • Use Certbot or a similar program to obtain a certificate, which results in the following files :
      • ca.pem  
      • cert.pem  
      • fullchain.pem  
      • key.pem  
    • Create an Public key, from the private key, using the following:
      • openssl rsa -in key.pem -pubout -out out.pubkey.pem -traditional 
    • Convert the public key from pkcs#8 to pkcs#1 RSA format:
      • openssl rsa -in out.pubkey.pem -pubin -RSAPublicKey_out -out rsa.out.pubkey.pem 
        • In "rsa.out.pubkey.pem ",  you should see "-----BEGIN RSA PUBLIC KEY-----
          ...
          -----END RSA PUBLIC KEY-----
    • Open the Web GUI of your switch,
    • select Security, HTTPS Certificate, Then click import certificate
    • Copy and paste cert.pem, public and private keys, click apply
      e.g.
    • Click the save button to persist changes

    •  Your certificate should (hopefully) appear:

    Finally, Close & re-open your web browser , your new certificate should get used:

    I use the following on my 1830s GitHub - travatine/aruba-1830-cert-uploader: A tool to upload certificates to my aruba 1830 switches  ; 



    ------------------------------
    Travis Thorne
    ------------------------------



  • 5.  RE: Connect via ssh to Aruba 1960

    Posted 07-29-2024 10:56 AM

    Hi @travatine
    Thanks a lot.
    Please clarify, I am getting an error, do I need to convert the private key to rsa as well ?


    After generating Certbot I have the following files:

    • cert.pem  
    • chain.pem  
    • fullchain.pem
    • privkey.pem


    ------------------------------
    Arthur Butko
    ------------------------------

    Original Message


  • 6.  RE: Connect via ssh to Aruba 1960

    Posted 07-29-2024 11:32 AM
    Edited by artcom13 07-29-2024 11:34 AM

    Hi,
    I converted the private key to rsa, it works now, but can I also certbot generate a certificate for 365 days?

    • openssl rsa -in privkey.pem -out privkey_new.key -traditional

      Thanks! :)



    ------------------------------
    Arthur Butko
    ------------------------------

    Original Message


  • 7.  RE: Connect via ssh to Aruba 1960

    Posted 11-13-2024 01:05 PM
    Hi @travatine,
     
    Is still not supported now? Because I try with key private/public and is not working. Btw im on Aruba 1830.


    ------------------------------
    Mehdi Mazari
    ------------------------------

    Original Message


  • 8.  RE: Connect via ssh to Aruba 1960

    Posted 11-13-2024 06:11 PM
    Edited by travatine 11-13-2024 06:20 PM

    Hi,

    Let's encrypt certificate works but you need to manually upload a new certificate every two to three months.

    (Note SSH management is not supported and probably never will on any instant on switch 1830 or even 1960).

    An alternative option, is to use a self signed certificate with upto 10year expiry  - you can import the self signed certificate into your web browser t& then you will not see errors about untrusted certificates.

    Using an isolated management VLAN & restricting access to the web interface in general is a good idea too ; but that requires some additional configuration on each switch & your firewall(s) 



    ------------------------------
    Travis Thorne
    ------------------------------

    Original Message


Related Content