Migrating CAPSMAN - best practices

NAB · April 23, 2021, 7:49am

Hi all,

We’re doing some consultancy for a large organisation with many access points all configured using CAPSMAN. They were originally configured with all services (DHCP/NTP/CAPSMAN/Hotspot/Firewall/LNS etc.) all running on one CCR. We need to split them out to separate boxes (and virtualise some of them) to make the network more manageable.
The first step is to migrate the CAPSMAN and hotspot. Hotspot is easily done - just export/import the configuration and files and it all works. CAPSMAN is a different kettle of fish.
We’ve set this up and tested it in the lab and we’ve had all sorts of problems - all related to certificates. The only reliable way of migrating it is to take a backup on the original box, import it on the new one and then delete the unnecessary configuration - this all works when the new and old boxes are the same, but obviously this is going to be problematic if they’re not.
So, the steps we’ve taken are:
1 - Export CAPSMAN configuration from old box
2 - Export certificates from old box
3 - Import configuration to new box
4 - Import certificates to new box
5 - Rename certificates on new box to match certificates on old box
6 - Configure CAPSMAN on new box to use the certificates imported from the old box
But all I’m getting is “:ffff:10.10.10.123:47023 failed to connect, no key for certificate found (6)”
Clearly I’m missing something and I’m not even sure that this is the ‘correct’ way to migrate CAPSMAN anyway (having to rename the certificates is a pain in the rear). I’ve checked through the certificates (and even wiped the configuration and started from scratch to make sure I haven’t missed anything), but I still get this key error.

So the questions are:
1 - Is there a way of backing up certificates/keys on one RouterOS box so that they can be imported to a new box and just work?
2 - is there a documented, ‘correct’ way to migrate a CAPSMAN instance (configuration and certificates)?

Obviously I can do the migration by starting from scratch and resetting each AP, but it would be preferable to just have everything work straight away rather than have to change the configuration on each of the many many APs.

Cheers,
Nicholas.

anav · April 28, 2021, 2:39pm

suggest you hire a consultant or a trainer!

rextended · April 28, 2021, 3:28pm

install the same version of previous routerboard in new (upgrading new device is done later).
export all capsman config on .rsc file
Export all Certificates AND capsman private key from old
Now, not later, import only capsman cert with Private key (twice, the second time read private key) and check if “K” appear on certificate
Now, not later, import all the other certificates
be sure all certificates are trusted
Now, not later, rename the certificate as previous routerboard (certificate are called after inport like file name of certificate)
Open .rsc exported config and check if are some errors or incoerence
Import .rsc NOT by file, but paste lite-to-line (section to section) in terminal for see someting go wrong
leave caps man where is, move each other services…

NAB · June 6, 2021, 10:03pm

So, you could have:
a) Said nothing.
b) Helped.
c) Made an unhelpful comment.

You chose option C. What did you think that achieved? Is somebody admitting that they don’t know something really worthy of ridicule?

Should I just have bulls*****d to my customer? No, I said that there was one particular aspect I did not fully understand but that I did have a workaround if the correct procedures weren’t documented.

So, forgive me if I don’t change who I am - if I don’t know something, I’ll damn well say so. My customers expect honesty which is fine by me. And you know what? If somebody asks for help, if I’m able, I’ll damn well help them. But that’s just me.

NAB · June 6, 2021, 10:06pm

Many thanks for the pointers. Unfortunately I still can't get an export/import working by following them though

I suspect that the problem is more likely with the 1100AHx4 I'm using to test all this with - it has major problems I need to report to support anyway. I'll try again with a different box!

h0ly0ne · October 8, 2024, 12:58pm

stevekwok:

tdw:

1 - Export CAPSMAN configuration from old box
2 - Export certificates from old box
3 - Import configuration to new box
4 - Import certificates to new box
5 - Rename certificates on new box to match certificates on old box
6 - Configure CAPSMAN on new box to use the certificates imported from the old box

install the same version of previous routerboard in new (upgrading new device is done later).

export all capsman config on .rsc file

Export all Certificates AND capsman private key from old

Now, not later, import only capsman cert with Private key (twice, the second time read private key) and check if "K" appear on certificate

Now, not later, import all the other certificates

be sure all certificates are trusted

Now, not later, rename the certificate as previous routerboard (certificate are called after inport like file name of certificate)
Open .rsc exported config and check if are some errors or incoerence

Import .rsc NOT by file, but paste lite-to-line (section to section) in terminal for see someting go wrong

leave caps man where is, move each other services...

Just to get a more recent follow-up (as a lot of people post in the forum that it is not working) -> the adopted guideline by "rextended" works flawlessly. Just make sure that you follow all steps exactly as documented by him/her.