diff --git a/README.md b/README.md index 5e7d041..206e862 100644 --- a/README.md +++ b/README.md @@ -2,43 +2,67 @@ I wanted to install a certificate generated by Let's encrypt on my brand new laser printer (HP Laserjet MFJ 4302) for the integrated administration webserver. -After research on the web, I discovered +After research on the web, I discovered that although there were projects supporting older models +nothing was existing for newer models. +Hence I decided to write my own tool in Python. +It was designed by reverse engineering the integrated administration webserver following the +network exchange when using the menu dedicated to certificate management +(Security -> Certicates management) -# Arguments +# Command -positional arguments: - {csr,pem} command help - csr Create CSR - pem Install certificate - -options: - -h, --help show this help message and exit - -d, --debug Activate debug. - -c, --config CONFIG_FILENAME - Configuration file. - -u, --user USERNAME Username. - -p, --password [PASSWORD] - Password. - -H, --host HOSTNAME Hostname. - -n, --no-tls-verification - Verify certificate validity. +```bash + {list, del, csr,pem} + list List certificates known by the printer + del Delete a certificate + csr Create a certificate signing request (CSR) + pem Install a PEM certificate +Common options: + -h, --help Show this help message and exit + -d, --debug Activate debug. + -c, --config CONFIG_FILENAME Configuration file. + -u, --user USERNAME Username (admin). + -p, --password [PASSWORD] Specify admin password. + -H, --host HOSTNAME Hostname. + -n, --no-tls-verification Do not verify certificate validity. +``` # How to use it ? -To obtain a CSR: -``` +After playing a lot with the administration web server, I discover a reproducible way to convince +the printer to accept a Let's Encrypt certificate. +First you need to ask a CSR generated by the printer: +```bash ./refresh-certificate.py -c ./config.ini -n -p PASSWORD csr ``` +This way the private key part of the certificate is only known by the printer. +I was not able to import the private key of a Let's Encrypt certificate as obtained when generating +the certificate directly from ACME. -To obtain a PEM certificate from Let's encrypt: +Next you need to ask Let's Encrypt to sign the CSR: ``` certbot certonly --webroot -w /var/www/letsencrypt/ --csr printer.csr ``` -To install the PEM file on the printer: +You should obtain three PEM files in response: + +1. _cert.pem_: the certificate itself (PEM format) +2. _chain.pem_: the intermediate CA that signed the certificate (PEM format) +3. _fullchain.pem_: the two previous files concatenated. + +Finally you can install the certificate PEM file on the printer: ``` -./refresh-certificate.py -c ./config.ini -n -p PASSWORD pem +./refresh-certificate.py -c ./config.ini -n -p PASSWORD pem -i fullchain.pem ``` +Please note that during the last step, you can add either the _cert.pem_ file or +the _fullchain.pem_ files. In both cases, you should be able to connect to the printer webserver +without warning message from your navigator (tested on Firefox and Chromium). +This is possible because the main navigators comes with a certificates store that contains +not only the root certificate of Let's Encrypt but also the intermediate certificates. +However, note that most others tools will fail to connect to the Web server of the printer +(including this tool) because the printer will only present the final certificate. +You really have to install the _fullchain.pem_ to remove TLS connexion errors from all tools. +