Adding a Commercial SSL Certificate to Cloud Key : r/Ubiquiti
Symbol für Recap-Event
Reddit Recap
Anmelden
Zu Ubiquiti
r/Ubiquiti
•
vor 3 Jahren
dustys81
Adding a Commercial SSL Certificate to Cloud Key
User Guide
Had the fun of figuring out how to get a commercial SSL certificate to function on a CloudKey and CloudKey+ to support Guest Portal functions this past week. I figured the least I could do is share with the community as the documentation is few and far between and typically out of date. I am surprised this isn't natively configurable in the UI.
The majority of the work is done as you would find in most tutorials, but the money shot for me was discovering the change in version 2 of the firmware (moving from Nginx to Node for the web server). Below are the commands I used twice to successfully deploy a public certificates. I would recommend reviewing the commands, customizing and running one by one... I'm not a scripting genius. ;-)
## Enable SSH on your controller and set a login password. User will be 'ubnt'
## On the controller...
## Backup existing files before we begin...
cd ~
mkdir ssl-backup
cd ./ssl-backup
mkdir -p ./unifi-core/config/
cp /usr/lib/unifi/data/keystore ./
cp /etc/ssl/private/unifi.keystore.jks ./
cp -r /etc/ssl ./
mkdir ./config
cp /etc/default/unifi ./config
cd ~/ssl-backup/unifi-core/config/
cp /data/unifi-core/config/unifi-core.* ./
cd /usr/lib/unifi/
# Replace the <> Fields below, including the <>'s
java -jar /usr/lib/unifi/lib/ace.jar new_cert <FQDN for CERT> <COMPANY> <CITY> <2-Letter STATE> <2-Letter Country>
cp /usr/lib/unifi/data/unifi_certificate.csr.* ~/ssl-backup/
cat ./data/unifi_certificate.csr.pem
mkdir ~/new-ssl
## ISSUE Certificate from your provider using the CSR displayed above.
## SCP the certificate and all intermediates to your controller from your local machine using SCP or another utility (ex. on MacOS):
## scp <path to certs>/* <IP of Controller>:~/new-ssl/
## Back on Controller via SSH
# Keystore password: aircontrolenterprise
# Used keytool instead of ace.jar because of certificate parsing issues. Adjust paths / values based on your certificate files provided (i.e. you might have more than one intermediate certificate.
keytool -import -trustcacerts -alias root -file <ROOT CA File>.crt -keystore /etc/ssl/private/unifi.keystore.jks -storepass aircontrolenterprise
keytool -import -trustcacerts -alias intermediate1 -file <INTERMEDIATE CERT FILE>.crt -keystore /etc/ssl/private/unifi.keystore.jks -storepass aircontrolenterprise
keytool -import -trustcacerts -alias unifi -file <ISSUED UNIF SSL CERT>.crt -keystore /etc/ssl/private/unifi.keystore.jks -storepass aircontrolenterprise
# Upgrade keystore to PKCS12 (probably optional)
# Keystore password: aircontrolenterprise
keytool -importkeystore -srckeystore /etc/ssl/private/unifi.keystore.jks -destkeystore /etc/ssl/private/unifi.keystore.jks -deststoretype pkcs12
# View Output (Just for fun..)
keytool -list -v -keystore /etc/ssl/private/unifi.keystore.jks -alias unifi -storepass aircontrolenterprise
# Convert for Cloud Key Certificates
# Keystore password: aircontrolenterprise
keytool -export -alias unifi -file /etc/ssl/private/cloudkey.der -keystore /etc/ssl/private/unifi.keystore.jks -storepass aircontrolenterprise
openssl x509 -inform der -in /etc/ssl/private/cloudkey.der -out /etc/ssl/private/cloudkey.crt
keytool -importkeystore -srckeystore /etc/ssl/private/unifi.keystore.jks -destkeystore /etc/ssl/private/cloudkey.p12 -deststoretype PKCS12
openssl pkcs12 -in /etc/ssl/private/cloudkey.p12 -nodes -nocerts -out /etc/ssl/private/cloudkey.key
#Copy files for version 2.x of the Cloud Key Firmware
cp /etc/ssl/private/cloudkey.key /data/unifi-core/config/unifi-core.key
cp /etc/ssl/private/cloudkey.crt /data/unifi-core/config/unifi-core.crt
systemctl restart unifi-core.service
## Resources:
## https://community.ui.com/questions/How-to-quickly-setup-SSL-certificate-on-Unifi-Cloud-Key/d991c17f-d7e0-4778-be83-f2a91c47bc63
## https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
## Where I found the v2 firmware changes needed:
## https://blog.arrogantrabbit.com/ssl/Ubiquiti-SSL/
Once you have your FQDN setup in DNS (ensure this is fully resolvable / correct) on the network, you can update your controller hostname / IP settings in Unifi and override inform host setting with the controller hostname / IP. Be careful, if DNS isn't working or something is mis-configured this will cause your devices to not be able to connect back to your controller and you will have to re-configure them manually. Overriding isn't required for most, but I have to override the inform host setting to make my guest portal re-direct function properly.
Hope this helps someone and saves you 3-4 hrs. of your life!
Sortieren nach:
ImissHurley
•
vor 3 Jahren
Thanks for putting in the work. However, I would venture to say that most folks that are interested in changing the certs in Unifi already have a reverse proxy in place. That's WAY easier and you only have to change your cert in one place.
I use a wildcard on an NGINX reverse proxy.
### unifi
server {
listen 443 ssl http2;
server_name unifi.domain.com;
location / {
proxy_pass https://10.x.x.x:8443/;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
}
}
And if you want to also SSL the guest portal:
### unifi guest portal
server {
listen 8843 ssl http2;
server_name guest.domain.com;
location / {
proxy_pass http://10.x.x.x:8880;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_hide_header X-Powered-By;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /ws/ {
proxy_pass http://10.x.x.x:8880/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
