GenieACS HTTPS TR-069

1

Hello.
There is a Debian 12 server and GenieACS for interacting with routers. I was faced with the task of configuring the router’s connection to GenieACS using HTTPS. To tell the truth, I’m new to this, I’d like to know how this can be done? In addition, how do I sign the certificate myself?

2

Well, I’m trying to do this too. Forum has some really nice topic that will help you.

You must generate a new cert and add to environment variables:

GENIEACS_CWMP_SSL_CERT=/path/to/your/cert
GENIEACS_CWMP_SSL_KEY=/path/to/your/key

Try to use openssl to generate it. I still haven’t been able to get CPE to communicate with the server, but with UI works fine.

You can use nginx too.

3

Good afternoon! I did everything as you said. Is there any way to verify that https has started working? And as I understand it correctly, we bind the certificate in one of the Genie ACS services, for example, to Cwmp or UI, right? In my case, I need to bind the certificate to the CWMP for a secure connection to the CPE.

Here’s what the path to looks like genieacs.env “/opt/genieacs/genieacs.env”
Contents of the genieacs folder: LN-cert.pem, LN-selfsigned.key, genieacs.env, genieacs.env.save.
The contents of the genieacs.env file:
GENIEACS_CWMP_ACCESS_LOG_FILE=/var/log/genieacs/genieacs-cwmp-access.log
GENIEACS_NBI ACCESS_ LOG_FILE=/var/log/genieacs/genieacs-nbi-access.log
GENIEACS_ FS_ACCESS_LOG_FILE=/var/log/genieacs/genieacs-fs-access.log
GENIEACS_UI_ACCESS_LOG_FILE=/var/log/genieacs/genieacs-ui-access.log
GENIEACS_DEBUG_FILE=/var/log/genieacs/genieacs-debug.yaml
NODE_OPTIONS=–enable-source-maps
GENIEACS_EXT_DIR=/opt/genieacs/ext
node -e “console. log ("GENIEACS_UI_JWT_SECRET=" + require (‘crypto’).randomBytes (128).toString (‘hex’))” >> /opt/genieacs/genieacs.env
GENIEACS_UI_JWT_SECRET=very_secret_secret

GENIEACS_CWMP_SSL_CERT
GENIEACS_CWMP_SSL_KEY
GENIEACS_NBI_SSL_KEY
GENIEACS_NBI_LOG_FILE
GENIEACS_FS_SSL_CERT
GENIEACS_FS_SSL_KEY
GENIEACS_CWMP_SSL_CERT=/opt/genieacs/LN-cert.pem
GENIEACS_CWMP_SSL_KEY=/opt/genieacs/LN-selfsigned.key

4

I noticed another feature. After I wrote the path to the certificates in the genieacs.env file, the genieacs-cwmp service started shutting down every ~2 minutes

5

That’s to much informations, you should remove what isn’t in use.

Like that:

GENIEACS_CWMP_ACCESS_LOG_FILE=/var/log/genieacs/genieacs-cwmp-access.log
GENIEACS_NBI ACCESS_ LOG_FILE=/var/log/genieacs/genieacs-nbi-access.log
GENIEACS_ FS_ACCESS_LOG_FILE=/var/log/genieacs/genieacs-fs-access.log
GENIEACS_UI_ACCESS_LOG_FILE=/var/log/genieacs/genieacs-ui-access.log
GENIEACS_DEBUG_FILE=/var/log/genieacs/genieacs-debug.yaml

NODE_OPTIONS=–enable-source-maps

GENIEACS_EXT_DIR=/opt/genieacs/ext

GENIEACS_UI_JWT_SECRET=very_secret_secret

GENIEACS_CWMP_SSL_CERT=/opt/genieacs/LN-cert.pem
GENIEACS_CWMP_SSL_KEY=/opt/genieacs/LN-selfsigned.key

Don’t forget to change user of cert and key files to genieacs.

6

The configuration file has been corrected. The CWMP service is running. But there is a new question. How can I change the user of certificates and key files to GenieACS? I don’t quite understand, is this indicated during the creation of the certificate and key?

7

Use ls -la /path/to/your/files to see permissions and users.

You’re using this files in genieacs.env, that (if you followed all steps of instalation guide) its used by user genieacs. May you have some permissions error to use you cert and key files.

Please increment your problem with prints to that we can help you.

8

In terms of rights, everything seems to be fine, or not?

root@tr-069:~# ls -la /opt/genieacs/
итого 28
drwxr-xr-x 3 root root 4096 апр 4 16:23 .
drwxr-xr-x 3 root root 4096 мар 12 10:23 …
drwxr-xr-x 2 genieacs genieacs 4096 мар 12 10:23 ext
-rw------- 1 genieacs genieacs 556 апр 4 16:23 genieacs.env
-rw------- 1 genieacs genieacs 585 апр 4 09:43 genieacs.env.save
-rw-r–r-- 1 genieacs root 1415 апр 4 08:42 LN-cert.pem
-rw------- 1 genieacs root 1704 апр 4 08:41 LN-selfsigned.key

9

Yes, everything seems right, what’s the error now?

10

There don’t seem to be any mistakes. To check the functionality, I have to type in the browser "https://my-ip:7547 "? If https has started to work, then I should essentially be given an empty web page as when entering "http://my-ip:7547 "Isn’t it?

11

That’s right, if you type https://your-ip:7547, if works you should recieved a “405 Method Not Allowed”.

Any error when you run systemctl status genieacs-cwmp?

12

It still doesn’t work, but genieacs-cwmp is working successfully. Maybe I missed a step? Did I need to raise DNS or something like that? It seems like I did everything right. The server has an IP of 10.110.5.40. To connect to the ACS server, I used http://10.110.5.40:7547 . If you go to http://10.110.5.40:7547 , then outputs “405 Method Not Allowed”. It doesn’t work that way with https :(.

13

To be sure, I even restarted the server itself so that the configuration settings were updated exactly, but all to no avail :frowning:

14

When you set SSL environment variables and restart the service do you get some error?

Did you set SSL to UI too? If yes, it works?

15

There are no mistakes. I didn’t set a certificate for the user interface, but we can try it as an experiment. As an experiment, I can generate a new certificate and key via openssl. Are we trying?

16

First try to put in UI too and see what happen

17

When connecting to https://10.110.5.40:7547 now a window like this appears: Imgur: The magic of the Internet

18

That’s nice, it works. Now you need a domain.