An open discussion list for topics related to the geteduroam service

[Jørn Åne de Jong <jornane.dejong AT surf.nl>]

On 07/05/2025 08:33, Christian Mittring wrote:
> Hello,
>
> my name is Christian, I am from the university of augsburg in germany.
> We are currently panning to change our eduroam setup from eap-ttls to 
> eap-tls and geteduroam.
>
> To deploy user-certificates we would like to use the geteduroam Apps so 
> we started to install the corresponding portal: https://github.com/ 
> geteduroam/letswifi-portal.
>
> We found some small documentation and a script to install the portal 
> under Ubuntu: https://github.com/geteduroam/letswifi-portal/blob/main/ 
> contrib/install/install-letswifi-portal.sh
> but we would like to do some further
> adjustments.
>
> We would like to add our own sub-ca for certificate creation. (radius 
> certificate is not from same sub-ca as used for the portal but from same 
> root-ca)
> We would like to use mysql or even better MariaDB or Postgress instead 
> of sqlite-db.
>
> Is there some further documentation how to do this in the correct way?
> As far as I understood the code until now, some code adjustments are 
> necessary to achieve this without modifying the DB after installation.
> Can you help us to implement these changes or should we start with a 
> fork and a pull-request at the end?

Hello Christian

Thank you for you message, great to hear you're looking into using 
geteduroam at your institution!

The script you found is intended to get a installation up and running 
quickly, but it's not the only way to install the letswifi-portal.  The 
adjustments you mention, using your own sub-ca and using MySQL or 
MariaDB, those are already possible with the portal as-is.  Postgress 
support is something we're looking into, it'll probably be supported in 
the future.

In order to do this, you can change the 'pdo.*' settings in 
letswifi.conf.php [1], set 'pdo.dsn' to something like 
'mysql:dbname=testdb;host=127.0.0.1' and set the username and password 
in the other variables.  The schema you'll find in the sql directory [2].

Regarding the CA, you can add your CA directly to the database, or use 
the script in bin/import-ca.php and pipe a PEM file consisting of 
intermediate, root and private key of the intermediate.  Then you can 
set the intermediate in the `realm_signer` table, there is currently no 
programmatic way of doing this.


We are actively working on the improvements you're asking about, better 
documentation and a way to make these changes without accessing the 
database directly.  If you're interested, please take a look at the code 
in the "beta" branch [3] and the installation documentation there [4].

In the beta version we make more use of inline-documented configuration 
files to make it easier to make these kind of changes, and we're working 
on a command-line tool for the administrator to make these changes in a 
controlled way.


The beta is nearly done; all user-facing components work reliably, but 
the command-line still has issues we're working on.  Maybe you can try 
it out and see if it works for you?
We can also schedule a call if you like.


[1] 
https://github.com/geteduroam/letswifi-portal/blob/main/etc/letswifi.conf.dist.php#L12-L14
[2] 
https://github.com/geteduroam/letswifi-portal/blob/main/sql/letswifi.mysql.sql
[3] https://github.com/geteduroam/letswifi-portal/tree/beta
[4] https://github.com/geteduroam/letswifi-portal/blob/beta/INSTALL.md


--
Jørn Åne de Jong
geteduroam board member