This is a guide on how to run the Alta Control hardware/software in an isolated network that does not have Internet access. Keep in mind that Let’s Encrypt only provides certificates for 3 months at a time, so you will need to provide an Internet connection to the controller at least once every 3 months for maintained security.

All Alta controllers must initially be installed using an Internet connection in order to:

• Obtain an Alta DDNS hostname for itself
• Obtain a Let’s Encrypt certificate for that hostname

This ensures that all communication with the controller is vetted by browser certificate trust chains, and that no Alta admin will ever be asked to make a security exception. All Alta physical devices connected to Control will use the same industry-standard trust chain, as well. If the controller’s certificate has expired, Alta devices will refuse to connect to it. 

For ease of use, a Route10 is recommended when running through this guide.

Time server

An NTP server is required for all Alta devices to maintain accurate time and ensure that certificates have not yet expired. A laptop or desktop may be used for this purpose, but it must be available 24 hours a day, 7 days a week, and cannot go to sleep.

Install chronyd on a physical Ubuntu 24.04 system (preferably not a container/VM; firewall configuration is outside the scope of this document).

Run the following commands:

⁠sudo apt install chrony
⁠⁠sudo /etc/init.d/chronyd stop
⁠⁠sudo mkdir /var/run/chrony
sudo nano /var/run/chrony/chronyd.conf

Insert these lines into the file and save:

allow 0.0.0.0/0
local stratum 8
manual

Run chronyd using the new .conf file:

sudo chronyd -f /var/run/chrony/chronyd.conf

Test the NTP server (from an Alta AP/Switch):

ntpd -q -p $IP_OF_SERVER

DNS Configuration (Route10)

1. Set up a DNS name for your time server in the controller:
   1. If your NTP server is not in the list of client Devices, add it first (Devices->Options->Add Wired). You will need to know the MAC address of the server beforehand.
   2. Set its name to 0.openwrt.pool.ntp.org
   3. Set the IP address to that of your NTP server.
2. Set up the DNS name for your controller:
   1. Find the controller in the Devices tab, and change its name to match the DDNS name that has been assigned to your controller. Since devices on this network are usually on the same LAN as the controller, use the local variant of the controller DDNS hostname, e.g. local.12345678.ddns.manage.alta.inc. If it’s not on the same LAN as the other Alta devices, remove the local prefix.
   2. Set the IP address to that of your controller. 

It is also possible to use third-party routers for DNS resolution, as long as the Alta DDNS hostname points to the controller’s IP address, and 0.openwrt.pool.ntp.org points to your NTP server’s IP address. The IP addresses for each of these devices will also need to be preconfigured in your DHCP server.

Periodic Certificate Refresh

To manually refresh the Let’s Encrypt certificates on the controller, ssh to it, and run the following commands:

cd /usr/share/access/be/
su alta -c ./uacme.sh

This must be done once every 3 months to avoid any interruptions in service. It is best to do this at least a few days before the 90-day renewal.