Provide REST API for certificate upload for GS1900 series switches (and more?)

coderjoe
coderjoe Posts: 10  Freshman Member
First Comment

Note: This is going to be a long and complicated description. If you would like to have a detailed discussion I am very interested. Please feel free to reach out privately.

I am trying to add support for GS1900 series switches to the opensource acme.sh project (https://github.com/acmesh-official/acme.sh) so that I can automate certificate management. My end goal is to get automatic certificate deployment working. A secondary goal once this is supported in acme.sh is to get support into the OPNSense acme.sh plugin for all GS1900 series switches.

I am making this work as a test on my own network by just simulating login to the web interface and simulating the various UI operations required to upload the file.

I am currently running into a few problems:

1. The switch login process is very complicated, since it goes through the web UI.

2. The file upload process is very complicated because it relies on browser style uploads.

3. The file upload appears to expect a verbatim binary upload of the certificate, and does not support URL encoding, which is complicating the implementation and giving the original author of the acme.sh project concerns about how I'm forced to implement.

In order to simplify this process I would like one of the following:

1. Preferred option: REST API for Certificate Upload

  • Located somewhere like /cgi-bin/restuploadcert.cgi
  • Only accessible over HTTPS
  • Accepts basic auth for user/password
  • Accepts a POST request
  • The body of the request must be a base64 encoded version of the pkcs12 certificate to upload
  • If successful it returns HTTP Status Code 200 (OK) with no body
  • If it failed with invalid user or password return HTTP Status code 403 (Forbidden) with no body
  • If it fails due to an invalid certificate return HTTP status code 400 (Bad Request) with the body of the response containing the reason for the failure

2. Alternative option: Update existing httpupload.cgi to support base64 encoding

  • Update the existing upload script at /cgi-bin/httpuploadcert.cgi
  • add an additional form element which allows you to specify if the file is base64 encoded or not (default to not)
  • If the base64 encoded option is set, assume the file being uploaded is a base64 encoded version of the pkcs12 certificate, and decode it before installing.
  • All other parts of the upload can continue as normal.
  • base64 encoding of the body is particularly important since that encoding method is supported internally by acme.sh already.

Either of these would greatly help me manage the switches under my control. This is going to become very important for me once once Google Chrome moves to its proposed 90 day (and possibly shorter in the future) certificate validity periods. (Source: https://www.digicert.com/blog/chromes-proposed-90-day-certificate-validity-period)

This upcoming change means I would have to either move to configuring private PKI for myself and my clients, or move to automated certificate deployment (which is my preference - hence my opensouce contribution).

Thank you very much for your consideration.

1 votes

Active · Last Updated

GS1900 cannot support due to device limitation

Comments

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,200  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security

    Hi @coderjoe

    Thank you for sharing your idea! Unfortunately, due to hardware limitations, the GS1900 series switches cannot support the REST API. Therefore, this feature cannot be implemented.

    We appreciate your understanding and welcome any other suggestions you may have!

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • coderjoe
    coderjoe Posts: 10  Freshman Member
    First Comment
    edited December 20

    They already run a web server and already support file uploads from a browser. What hardware limitation is preventing a web API?

    If a web API isn't possible, could the website be updated to accept either a pks12 file format, or a separate private and public key in PEM format?