Copying `unifi-core-direct.crt` and `unifi-core-direct.key` is causing DNS for my domain to resolve to UDM console login about ubios-cert HOT 7 CLOSED

Hi, thanks for your efforts.

I'd like to have a look into this first, but won't be able to check this over the next days.

I found one hint pointing in the direction of -direct being the certificate used by UI itself for access via unifi.ui.com.

Still, it's not clear for me what a certificate could possibly have to do with DNS resolution ;) but if it works for you, it works for you!

from ubios-cert.

OK, did a quick check and hope nothing breaks:

For me, only the -direct.key file gets recreated, not -direct.crt, after service restart and device reboot. But, everything (checked so far) works fine.

@jonathann92 so yes, I'm happy if you create a PR on that as this looks like something not required to work properly.

from ubios-cert.

@alxwolf the direct.crt created for me after I went to the console in my browser. Try checking if the direct.crt is created after that.

Still, it's not clear for me what a certificate could possibly have to do with DNS resolution

im not sure what it has to do with either. I was thinking about submitting a request to the community but that would take a while.

Did you find similar behavior where the UDM was resolving all queries to mydomain.com to the gateway when copying over the direct .crt and .key?

@bfayers I saw PR #41 updated the permissions of the direct.key to 644. I’m not sure how the direct.key is used but it seems to have affected evostreams and RTSP. Do you know what the direct .crt and .key are used for? Could I also ask you to test this on your UDM?

from ubios-cert.

@alxwolf

I opened #57. Let's try to wait and see if bfayers responds and is able to test before we merge. I don't want to break someone else's functionality.

from ubios-cert.

@alxwolf the direct.crt created for me after I went to the console in my browser. Try checking if the direct.crt is created after that.

Still, it's not clear for me what a certificate could possibly have to do with DNS resolution

im not sure what it has to do with either. I was thinking about submitting a request to the community but that would take a while.

Did you find similar behavior where the UDM was resolving all queries to mydomain.com to the gateway when copying over the direct .crt and .key?

@bfayers I saw PR #41 updated the permissions of the direct.key to 644. I’m not sure how the direct.key is used but it seems to have affected evostreams and RTSP. Do you know what the direct .crt and .key are used for? Could I also ask you to test this on your UDM?

I can't understand how a cert could, would or should affect DNS resolution (and it doesn't affect mine -- are you using a wildcard cert? I'm not.)

As for the permissions of the keys from my PR, I simply copied the permissions that unifi use for the default, self signed ones. without those permissions it'd break evostreams and thus the rtsp feeds out of the UDM for use by other things.

I will say I don't think not replacing unifi's default self signed keys there would cause any issues -- so long as the webui still gets the LE cert I don't mind!

from ubios-cert.

I will say I don't think not replacing unifi's default self signed keys there would cause any issues -- so long as the webui still gets the LE cert I don't mind!

Agree. Merged the PR so the -direct certs are no longer be touched. Let's see if this breaks anything (I doubt it...) - we will know latest in 60 days after next renewal...

from ubios-cert.

Honestly I don’t understand why it would either. I can try playing around later with 2 different domains and use one with the regular and the second with the direct cert.

I am using a wildcard cert so I’m passing this to the .env file *.mydomain.com,mydomain.com

from ubios-cert.