Comments (13)
Let me know how I can help. I’m also happy to test.
from ubios-cert.
FYI (and you probably already know this): I was able to regenerate the original UBIOS RADIUS certificates by renaming/removing the /mnt/data/udapi-config/raddb/certs/server.pem
certificate and server-key.pem
key and restarting the UDM.
In the course of my earlier testing, I lost my backup of the original UBIOS RADIUS cert. Since the ca.cer
in that directory was likely used to create more certificates, I figured it might recreate the RADIUS cert if it was missing.
NB: I had to completely reboot the UDM to get the cert/key to regenerate. I tried /usr/sbin/rc.radiusd restart
after rm server.pem
and rm server-key.pem
but it did not recreate the cert/key pair.
from ubios-cert.
@OverengineeredNetwork could you try the following please - if possible.
/etc/init.d/S45ubios-udapi-server restart
could do the trick to get the LE certificate enabled for RADIUS.
If this is stuck or shows weird behaviour, a reboot
should fix it
from ubios-cert.
@alxwolf,
Well, I thought running /etc/init.d/S45ubios-udapi-server restart
went smoothly.
Stopping ubios-udapi-server watchdog: OK
Stopping ubios-udapi-server: ........................OK
Starting ubios-udapi-server: OK
Starting ubios-udapi-server watchdog: OK
I was able to disjoin and re-join my RADIUS-Authenticated WiFi Network without any certificate errors.
However, I could not browse to any websites or post this reply. It was as if DNS could not resolve external or internal hosts. Other RADIUS-Authenticated WiFi clients also lost the ability to resolve public hostnames.
I was able to restore functionality by running the reboot
command you suggested.
from ubios-cert.
@OverengineeredNetwork
Thanks for being so quick in testing it. Do yo run pi-hole as DNS on the UDM Pro (I do that)? Had the same issue (must reboot
).
Are now the correct certificates installed for the Radius server?
from ubios-cert.
I just saw I received a few notifications from my controller too.
I've been getting these errors recently. I'm not sure if they were related to our testing or when I upgraded the firmware from UniFi 1.10.4 to 1.11.0 (7 days after our testing).
I use AdGuardHome which runs as a podman container.
I can confirm that it is still serving the correct certificate for RADIUS-Authenticated WiFi supplicants.
Update: I think each Wi-Fi client (RADIUS supplicant) that hasn't accepted the new certificate will trigger this alert. When I see this alert on my smartwatch, it also specifies the client's name.
from ubios-cert.
Those iOS notifications from the controller don't do anything. Everything works. I just get these notifications occasionally.
I "forgot" the RADIUS WiFi network on my iPhone and Mac and rejoined them anew. Everything worked as expected.
from ubios-cert.
Based on this testing, I
- Replaced line 64 (
/usr/sbin/rc.radiusd restart
) in/mnt/data/ubios-cert/ubios-cert.sh
withreboot
- Forced a renew
sh /mnt/data/ubios-cert/ubios-cert.sh forcerenew
- Ran a deployment (to get the add_radius function to run):
sh /mnt/data/ubios-cert/ubios-cert.sh deploy
Deploying certificates and restarting UniFi OS
New certificate was generated, time to deploy it
[buncha hex]
Checking if Captive Portal certificate needs update.
New certificate was generated, time to deploy it
Checking if RADIUS server certificate needs update.
New certificate was generated, time to deploy to RADIUS server
New RADIUS certificate deployed.
unifi-os: Stopping unifi-os
unifi-os: Stopping unifi-os unifi-core.service
unifi-os: Stopping unifi-os unifi-protect.service
unifi-os: Stopping unifi-os unifi.service
unifi-os: Stopping unifi-os unifi-base-ucore.service
unifi-os: Stopping unifi-os postgresql.service
unifi-os: [buncha hex]
unifi-os: Stopping unifi-os SSH daemon... OK
unifi-os: Starting unifi-os
unifi-os: Stopping unifi-os SSH daemon... OK
unifi-os: Starting unifi-os SSH daemon... OK
unifi-os: unifi-os
All of my wifi devices seemed to keep their connection to the SSID, but I couldn't navigate anywhere. I had to toggle wifi off and on again to accept the NEW RADIUS cert on each device. I noticed this time that my Mac didn't report problems with the cert like it had before. I confirmed that the The fullchain cert should be used for the RADIUS cert. I didn't get an error before because I had trusted the expired cert. I cleared all related certs between test and confirmed that the Mac will assume the wrong root CA unless the fullchain cert is used./mnt/data/udapi-config/raddb/certs/server.pem
in place was the current one and not the fullchain.
Once I accepted the new RADIUS cert on my devices, I checked to see if the cert had been applied to my controller and my AdGuardHome podman container. Everything works as expected.
Whatever that reboot
command does, it seems more effective than the others we've tried. I'm not sure if its overkill to use the command or if it's a "dirty" shutdown.
Also, of note, the deploy_cert ()
function calls the add_captive ()
function, but not the add_radius ()
function. But the deploy
switch calls both. That's why I ran the command twice (at the top).
I'm still learning GitHub--not sure how I can propose these changes to help.
TLDR:
- The
reboot
command works to deploy the RADIUS cert (but seemed to disrupt video recordings for ~5 minutes) - Given the effectiveness of the
reboot
command, I wonder it if should replace theunifi-os restart
command to prevent redundant service restarts. - The
fullchain.cer
should replace/mnt/data/udapi-config/raddb/certs/server.pem
- The
deploy_cert ()
might want theadd_radius ()
function as well to keep it consistent with thedeploy
switch.
from ubios-cert.
@CaseyTal so. Good news is I got it sorted out "in principal"™
bad news is: won't be able to offer it for V1.x (due to lack of equipment for testing), but nobody should care as we should all move to V2.0 (or V3.0 soon).
Plus, right now I can only make free radius read the new certificate by rebooting the box, like stated here by @tackynugget. So, some more research required.
from ubios-cert.
Fair enough. Have you made any changes to the files yet? I'm on 2.x, so that's fine by me!
And the reboot would only be once, correct? OR would that be required in the event of a power outage as well?
from ubios-cert.
@CaseyTal you could try the main branch now, as I believe I've been able to sort it out now.
At first login, devices will (might?, only tried with a Mac and iOS) ask you to nod off the certificate - but at least now the right name is displayed, not "UbiOS Radius etc.", and it is shown as valid, for not being self-signed by UI.
@tackynugget, thanks for the effort you put into deciphering what UI does. With 2.x, I've been able to get it to work (i.e., updated cert presented) by restarting the service with systemctl restart udapi-server
, without requiring to reboot.
from ubios-cert.
Still getting "Syntax error: newline unexpected"
from ubios-cert.
Still getting "Syntax error: newline unexpected"
Which DNS provider do you use? in case it's not GoDaddy, you must comment out
# GoDaddy
export DNS_API_PROVIDER="dns_gd"
export GD_Key=<KEY>
export GD_Secret=<SECRET>
the <> will break parsing the file
from ubios-cert.
Related Issues (20)
- Pull latest image before run HOT 1
- Problem deploying on UDM SE HOT 10
- ./ubios-cert.sh: line 140: /etc/init.d/cron: not found - Error on UDM (UniFi OS Version 1.12.30) HOT 1
- Cron job now requires the user to be specified HOT 3
- UDM pro upgraded to 2.x uses /data not /mnt/data HOT 3
- /mnt/data still hardcoded in ubios-cert.sh and 99-ubios-cert.sh HOT 2
- Script issues - support for UDMPro v2.4.23 HOT 2
- Issue with wildcard domains HOT 1
- Intermediate Chain Certificate for Guest Portal HOT 12
- Cloudflare not registrering - api not applied correctly HOT 1
- Add OVH as a DNS provider HOT 2
- No such file or directory when running cd ${DATA_DIR}/ubios-cert HOT 7
- Captive Portal HOT 3
- Can't open /data/unifi-core/config/unifi-core.crt for reading, No such file or directory HOT 2
- Curl Error HOT 2
- Email Notification HOT 2
- UNVR Support HOT 6
- Copying `unifi-core-direct.crt` and `unifi-core-direct.key` is causing DNS for my domain to resolve to UDM console login HOT 7
- Guest portal cert doesn't seem to be updating. HOT 3
- missing keytool? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ubios-cert.