I’m using genieacs v1.2 and trying to setup my SSL properly now.
My two services cwmp and fs are working very well with my self-signed certs. I can verify that the traffic is encrypted by seeing the packets content on tcpdump and I can access both ports on my browser using https.
However one thing is failing regardless what I setup on my env variables.
The CWMP service is pointing the fs downloads to http://myserver.com:7567 instead of https://myserver.com:7567, hence, my CPE (mikrotik router) is failing to download the config files.
It all work very well when I remove GENIEACS_CWMP_SSL_CERT, GENIEACS_CWMP_SSL_KEY, GENIEACS_FS_SSL_CERT and GENIEACS_FS_SSL_KEY from /opt/genieacs/genieacs.env. But when I readd it, the encryption works well but it cwmp point to my FS hostname with HTTP and not HTTPS
Here’s the misleading packet:
"HTTP/1.1 200 OK
Content-Length: 819
Server: GenieACS/1.2.0-beta.0+20190730182732
SOAPServer: GenieACS/1.2.0-beta.0+20190730182732
Content-Type: text/xml; charset=“utf-8”
Date: Fri, 28 Aug 2020 23:23:04 GMT
Connection: keep-alive
I trying setting up GENIEACS_FS_URL_PREFIX=https://myserver.com:7567 but it doesn’t seems to work neither.
Tried following the logic on “genieacs/lib/config.ts” but could not find why line 248 is still defaulting to “http” even if I have a FS_SSL_CERT setup.
I didn’t manage to make FS_URL_PREFIX work with env variables neither FS_SSL_CERT turn the FS_URL_PREFIX into https. Unless that there’s some trick I’m missing, I assume both those features are not working properly and I’m really sorry I couldn’t debug further and contribute to the project.
So I just worked around and rebuild from source. Took out ternary operator from lib/cwmp.ts line 818 and lib/config.ts line 248 and just hardcoded https.
It really surprises me that I had such a hard time enabling SSL properly. It seems to me that this should be the normal case. Or does everybody uses an HTTPS proxy to talk to CPE and then unencrypted traffic between proxy and GenieACS? Or people just don’t care about security at all and are talking directly to CPEs over HTTP?
I think in general people don’t use TLS with cwmp because they own the network and they’re generally at the edge. I know microcells and other in-home devices generally will use TLS.
As a note, a lot of cpes won’t take an https url for downloads because they have verification turned on but have no root certs embedded, so verification always fails. An ISP can ask to have their cert installed, but most don’t because they don’t think about it. I don’t think there’s a standard way to install certs over the wire either, nor is there a way to update the certs that are there (if there is one).
Well, owning the network does not guarantee you will not have a man-in-the-middle attack. So I think it’s more prudent to have all your traffic encrypted, specially on an application like TR-069 where you are dealing with the “home router” that interfaces WAN/LAN and controls the local network. To me that’s very critical.
About the certificates, we are working with Mikrotik as our main CPE. I can massconfig devices (SSL certificate and TR-069 client config) with sftp by pushing a Mikrotik script (extension something.auto.rsc). That way I can just onboard devices and they will talk to my ACS over HTTPS.
We are studing the possibility to do the same thing on other CPE vendors by flashing a new firmware with OpenWRT.
I’m not disagreeing with you, I’m telling you how it is. IRL CPE management issues are somewhere at the bottom of the CPE RFP process, so this sort of stuff tends to get ignored until the CPE is thrown over the wall.
Ok. Thanks for the feedback. I was trying all kinds of different things to make this work properly and assumed it was the Node upgrade. But I must have upgraded GenieACS too then
into the file /opt/genieacs/genieacs.env and got the https connection for CPE to ACS to work?? Or you need to set up other parameters to make the https connection to be done?