Comments (12)
Looking at it. Now maybe the right time to get once more a look at the multiple stores the UDM has (for Console, Guest / WiFiMan, and RADIUS).
@NDULZ, previously it was an issue to run WiFiMan with full chain, but I need to doublecheck that (and that's long ago so my memory my fail me here).
from ubios-cert.
I'm however having an issue where some devices, mostly Samsungs and Apple devices do not trust the certificate on the guest portal.
Hi @NDULZ, can you please provide some information:
What UniFi device do you use?
What firmware version do you run? V1.x, V2.x or V3.x
Which specific Apple devices produce this error?
I have tried with Windows, (newer) Apple iOS and macOS devices and get no errors.
Having just the server certificate (no chain, i.e. no intermediate or root certificate) in the guest portal is intended behavior - right now, at least.
from ubios-cert.
@alxwolf Yup in your notes you indicate that the chain cert is not installed for WiFiMan to work. I think having an option in ubios-cert.env would be prudent and allow the user to decide what they would like to use.
I am using a UDM and UDM Pro have the same issue on both.
Both are running firmware v1.12.33
The issue arises on Samsung Galaxy A71, S9 and Note 9 among other android devices, Macbook Air 2020 and 2015, iPhone 13, X and 8.
I hope this helps.
from ubios-cert.
mmh. it's not that simple... I've been testing now for a sound 3 hours and... it does not work with a full chain. So no chance for giving the option...
from ubios-cert.
@NDULZ I created a branch for this, please try this and let me know if this works for your environment.
For me, it does... but: it breaks WiFi-Man.
I added this to ubios-vert.env
to spare you from repeating all configuration.
# you want to spare users from "intermediate certificate missing" errors?
# this will break WiFiman iOS app
# uncomment next line, set to 'yes' to provide the full chain to Captive Portal
CAPTIVE_FULLCHAIN='yes'
I think we can agree that it's just plain stupid by UI to let their users run through hoops.
from ubios-cert.
The chain is all good now but now I seem to be encountering an error on macOS when redirecting to my promotional URL. For some wired reason it's using the UDM's self signed SSL cert when redirecting.
from ubios-cert.
So I guess your guest portal config looks something like this:
Yeah, UI is a mess about certs...
You probably get the "UI" certificate, issued by "devint" (they probably skipped an "a" in that).
I searched far and wide on the UDM and have not found, where this thing resides and when it gets regenerated (something seems to trigger this, but seems like not a reboot of the hardware or just restarting the unifi-os).
One thing you can try (don't know how comfortable you are SSH-ing into UDM).
You are throwing an additional curved ball by using the redirection (which I think is totally fine for such equipment...).
you could check in /mnt/data/system/ssl/private/redirector
what certificate you have there. Please also check the file creation date and time, does that ring a bell (like last reboot or date of installation??)
openssl x509 -text -noout -in server.crt
will tell you.
What happens if you make a backup of this key and cert and replace it with your Let's Encrypt cert?
from ubios-cert.
SSH-ed into the UDM you were right on the location and it seems to have been created when I first powered up the UDM on the day I purchase it.
Any thoughts on which cert and key I should use amongst the ones in .../unifi-core/config?
I don't get how UI do so many things right, great in fact but the vitals are just all over the place.
from ubios-cert.
Checked the UDM Pro as and that seems to have been created on Dec 10 2022 which I think is when I did a factory reset.
from ubios-cert.
Thanks, mine dates to when I did last firmware upgrade (yesterday to .37), which makes sense.
you could try
cp /mnt/data/unifi-os/unifi-core/config/unifi-core.crt /mnt/data/system/ssl/private/redirector/server.crt
cp /mnt/data/unifi-os/unifi-core/config/unifi-core.key /mnt/data/system/ssl/private/redirector/server.key
unifi-os restart
if certs get shot, one can delete both server.*
files and they get recreated during (hardware) reboot.
But I'm not sure this will help. UI is totally not helpful on those topics and everything is "for science"...
from ubios-cert.
Found one more thing: maybe this can provide a solution?
We typically disable HTTPS redirection and add the IP address the public FQDN points to to the pre-auth access list with the /32 suffix. Works like a charm, even on UDM PROs.
from ubios-cert.
Found one more thing: maybe this can provide a solution?
We typically disable HTTPS redirection and add the IP address the public FQDN points to to the pre-auth access list with the /32 suffix. Works like a charm, even on UDM PROs.
This seems to have worked. Coping the certs was a bust.
from ubios-cert.
Related Issues (20)
- Cron job now requires the user to be specified HOT 3
- UDM pro upgraded to 2.x uses /data not /mnt/data HOT 3
- /mnt/data still hardcoded in ubios-cert.sh and 99-ubios-cert.sh HOT 2
- Script issues - support for UDMPro v2.4.23 HOT 2
- Issue with wildcard domains HOT 1
- Cloudflare not registrering - api not applied correctly HOT 1
- Add OVH as a DNS provider HOT 2
- No such file or directory when running cd ${DATA_DIR}/ubios-cert HOT 7
- Captive Portal HOT 3
- Can't open /data/unifi-core/config/unifi-core.crt for reading, No such file or directory HOT 2
- Curl Error HOT 2
- Email Notification HOT 2
- UNVR Support HOT 6
- Copying `unifi-core-direct.crt` and `unifi-core-direct.key` is causing DNS for my domain to resolve to UDM console login HOT 7
- Guest portal cert doesn't seem to be updating. HOT 3
- missing keytool? HOT 2
- Minor error in README.MD? HOT 3
- FW 3.2.7 breaks RADIUS certificates HOT 25
- FW 3.2.7 breaks custom web certificates HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ubios-cert.