Comments (13)
One thing you "could" try, maybe to get more output out of
udapi-server
boot sequence is tochattr +i
theunifi-core.crt
file. It is very likely they're not checking for that so either it makes it immutable across reboots as a temporary solution for you, or crashesudapi-server
and/or you get more info in itsjournalctl -u
because it cannot replace the file...
After being frustrated by 3.2.9's continuation of 3.2.7's bad behavior, I found this thread. I can confirm that marking both the cert and key immutable prevent them from being replaced upon restarting the unifi-core service. It's a kludge, but it'll do until a real fix comes along!
from ubios-cert.
Ah, reading your message I had assumed the CRT in the JSON file was the right one, sorry to have mis-interpreted that.
It's very likely they combine 3+ certificate management mechanisms, it seems to be all over the place between freeradius, the keystore (that must be used for something, maybe intra-Unifi comms over HTTPS), some certs for Protect and the unifi-core/Web UI stuff...
One thing you "could" try, maybe to get more output out of udapi-server
boot sequence is to chattr +i
the unifi-core.crt
file. It is very likely they're not checking for that so either it makes it immutable across reboots as a temporary solution for you, or crashes udapi-server
and/or you get more info in its journalctl -u
because it cannot replace the file...
Either way, if they are re-generating it, the private key and the cert must be somewhere...
from ubios-cert.
@therealpaulgg opened a new issue, your case is different from the RADIUS issue many people seem to see.
You debugged that your root certificate is gone from keystore - that may be another hint in the direction that UniFiOS says "incorrect / incomplete chain -> trash it, put self-signed in".
but as you wrote, root cause for trust being broken in cert store is unclear...
I assume when you copy the certs manually and restart unifi-core
, they get culled, too?
from ubios-cert.
So I mentioned in my last comment that I ended up trying to fix my cert store manually by both re-adding my Root CA and intermediate CA (I didnt need this previously)
ran openssl verify and it reported OK
Yeah copied the certs manually and they are gone.
Maybe if I try configuring RADIUS (I never bothered) it'll work?
from ubios-cert.
This one is a bit trickier to solve than the RADIUS one. Still not entirely sure what to do.
I did some digging based on what @ouaibe had mentioned in the other issue, and I was only able to find this one entry:
"unifiNetwork": {
"certificate": {
"crt": "CERT_HERE"
},
"controllerURL": "https://192.168.1.1:8443",
"enabled": true,
"informURL": "http://192.168.1.1:8080/inform",
"sitename": "default",
"uciAllowList": []
},
this CERT_HERE is also a base64 encoded value but does not decode the same way that the radius certificates do, so I am a bit confused.
Tried searching for other configuration files and had no luck. There is one called /data/udapi-config/udapi-net-cfg.json
but that appears to just be a subset of the previously mentioned /data/udapi-config/ubios-udapi-server/ubios-udapi-server.state
.
Its like the implementation of RADIUS and the web certs are just completely different, and I'm not able to find where they are configured at.
from ubios-cert.
Looking at it, that certificate is in DER format (binary), not PEM. These are both interchangeable/convertible using the following commands:
DER -> PEM
openssl x509 -inform der -in certificatename.der -out certificatename.pem
PEM->DER
openssl x509 -outform der -in certificatename.pem -out certificatename.der
So in theory, if you already have your local CRT file server.crt
in PEM format, you can do something like this:
jq --arg content "$(openssl x509 -outform der -in server.crt | base64)" '.services.unifiNetwork.certificate.crt = $content' /data/udapi-config/ubios-udapi-server/ubios-udapi-server.state > /data/udapi-config/ubios-udapi-server/ubios-udapi-server.new.state
Then validate the NEW file, the JSON content at .services.unifiNetwork.certificate.crt
and if you're satisified with it (having taken a backup) you can replace the current .state
file with the new one, and finally restart the udapi-server
.
from ubios-cert.
This makes sense... only concern I have is where is the key? previously for web certs it needed both the cert and the key. You should need both pieces, right?
from ubios-cert.
A CRT file for a server can (should?) contain both the cert and the private key. You could try generating a regular CRT file in PEM format, that would contain the two sections:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
And then convert that to DER and see if it works?
Alternatively, you could try hacking a key="value"
element in the JSON file similar to how the other certs are setup, and see if udapi-server
breaks while booting?
from ubios-cert.
After digging a bit more, the unifiNetwork
certificate in the JSON config file has the exact same fingerprint than the one in the keystore at /data/unifi/data/keystore
.
Compared the output of openssl x509 -inform der -in unifinetwork.der -noout -fingerprint
and the output of keytool -v -list -keystore /data/unifi/data/keystore -storepass aircontrolenterprise
.
This might mean that the keystore is used to back the signature for that part of the certificate management system.
FWIW you can export the existing private key in PEM
format using the following commands:
keytool -importkeystore -srckeystore /data/unifi/data/keystore -srcstorepass aircontrolenterprise -destkeystore /tmp/keystore.p12 -deststoretype PKCS12 -deststorepass aircontrolenterprise
openssl pkcs12 -in /tmp/keystore.p12 -nodes -nocerts -out /tmp/private_key.pem
But I'm not sure how that private key would be useful for you, instead you could try adding your own private key/certificate to the existing keystore and see how it behaves with udapi-server
.
Good luck!
from ubios-cert.
Unfortunately it seems this certificate is completely different from the one on the web portal. Fingerprints dont match at all and the issuers are totally different (CN = unifi.local
for web cert vs. C = US, ST = New York, L = New York, O = Ubiquiti Inc., OU = UniFi, CN = UniFi
)
I found a log in /data/unifi-core/logs/http.log
saying:
2023-12-18T21:15:19.493Z - info: Self signed certificate needs regenerated, regenerating
2023-12-18T21:15:19.494Z - info: Generating /data/unifi-core/config/unifi-core.crt
wonder if the underlying cert implementations for unifi-core and the other stuff are just totally different.
from ubios-cert.
One thing you "could" try, maybe to get more output out of
udapi-server
boot sequence is tochattr +i
theunifi-core.crt
file. It is very likely they're not checking for that so either it makes it immutable across reboots as a temporary solution for you, or crashesudapi-server
and/or you get more info in itsjournalctl -u
because it cannot replace the file...After being frustrated by 3.2.9's continuation of 3.2.7's bad behavior, I found this thread. I can confirm that marking both the cert and key immutable prevent them from being replaced upon restarting the unifi-core service. It's a kludge, but it'll do until a real fix comes along!
Absolutely genius workaround...this totally solves my problem. Finally got around to actually implementing it on my Unifi router and its pretty straightforward. It is a little more complicated since I'm using step-ca
which renews certs daily, but it was easy enough to modify the renewal service to simply make the file temporarily mutable and then make it immutable once renewed.
Thank you very much, I had pretty much given up on the idea of accessing Unifi from a trusted domain at this point.
from ubios-cert.
Not sure this helps, but I'm on EA release v3.2.12 and all I had to do was place move the cert and key to /data/eus_certificates/unifi-os.crt and /data/eus_certificates/unifi-os.key respectively.
from ubios-cert.
@forrestrae interesting observation, have you ever used Glenn R.'s "UniFi Let's Encrypt" before?
That script creates such directory. if you did not use it before, maybe UI has implemented that scripts mechanisms into firmware.
from ubios-cert.
Related Issues (20)
- Cron job now requires the user to be specified HOT 3
- UDM pro upgraded to 2.x uses /data not /mnt/data HOT 3
- /mnt/data still hardcoded in ubios-cert.sh and 99-ubios-cert.sh HOT 2
- Script issues - support for UDMPro v2.4.23 HOT 2
- Issue with wildcard domains HOT 1
- Intermediate Chain Certificate for Guest Portal HOT 12
- Cloudflare not registrering - api not applied correctly HOT 1
- Add OVH as a DNS provider HOT 2
- No such file or directory when running cd ${DATA_DIR}/ubios-cert HOT 7
- Captive Portal HOT 3
- Can't open /data/unifi-core/config/unifi-core.crt for reading, No such file or directory HOT 2
- Curl Error HOT 2
- Email Notification HOT 2
- UNVR Support HOT 6
- Copying `unifi-core-direct.crt` and `unifi-core-direct.key` is causing DNS for my domain to resolve to UDM console login HOT 7
- Guest portal cert doesn't seem to be updating. HOT 3
- missing keytool? HOT 2
- Minor error in README.MD? HOT 3
- FW 3.2.7 breaks RADIUS certificates HOT 25
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ubios-cert.