Reply
Emerging Member
Posts: 50
Registered: ‎04-13-2017
Kudos: 14
Solutions: 1

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

I am using certs issued from letsencrypt, super simple to set up and totally free. life time is only 90 days max but the renewal can be automated and with a little scripting the output can be put into the PEM format the device needs, copied to the correct location and the http server restarted.

 

I haven't done the automation part however Man Happy I renew the certs on my local machine and then just copy over.

 

Phill

New Member
Posts: 16
Registered: ‎04-11-2018
Solutions: 2

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

@phillipmcmahon, will you be able to please show the steps to get letsencrypt working? From the https://github.com/j-c-m/ubnt-letsencrypt I followed instructions till sudo /config/scripts/renew.acme.sh. But putty is stuck on stopping gui services edgerouter.

 

I am trying to setup a https certificate for my router and its for home use only. 

 

 

Emerging Member
Posts: 50
Registered: ‎04-13-2017
Kudos: 14
Solutions: 1

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

I had to ditch my Ubiquiti device as my ISP moved to g.fast and until there is a g.fast bridge available to sit in front of the Edgerouter I was stuck.

 

That being said I also gave up with automating any of this. I simply generate a letsencrypt cert locally on my machine (I ended up using a wildcard since it was supported), concatenated the cert and key into a single file (server.pem), replaced the default version, restarted the GUI manually and all was good. A total of 4 minutes max every 3 months. Something I was fine with.

 

See below for a little more detail.

 

https://www.stevejenkins.com/blog/2015/10/install-an-ssl-certificate-on-a-ubiquiti-edgemax-edgeroute...

 

New Member
Posts: 16
Registered: ‎04-11-2018
Solutions: 2

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

I am not that clued up with letsencrypt cert method. Do you still remember the steps?

 

I would like to know how to sign the cert after creating it from this command:

# openssl req -sha256 -new -newkey rsa:2048 -nodes -out hostname_example_com.csr -keyout hostname_example_com.key -subj "/C=US/ST=Washington/L=Seattle/O=My Company LLC/OU=Network Ops/CN=hostname.example.com"

 

I copy the contents of  hostname_example_com.cer using:

# cat hostname_example_com.csr

 

Then I am lost, I tried to look at https://certbot.eff.org/lets-encrypt/pip-other but does not show how to sign a cert. 

 

Please assist if possible. 

Emerging Member
Posts: 50
Registered: ‎04-13-2017
Kudos: 14
Solutions: 1

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

So I use acme.sh and the DNS authorisation functionality. What this means is I go to me Domain/DNS provider and get my API keys. Using those with acme.sh allows me to simply generation any cert associated with the domains I own.

 

e.g. once in possession of my API data I export them on the command line to acme.sh can pick them up.

 

export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export GD_Secret="asdfsdafdsfdsfdsfdsfdsafd"

 

Then I can easily generate a key using

 

acme.sh --issue --dns dns_gd -d example.com -d www.example.com -d *.example.com

 

All cert generation, signing etc is taken care of and I don't have to mess about with firewall ports etc.

 

Happy to help offline if you need more detail. I can even screen share and show you how I do it.

New Member
Posts: 16
Registered: ‎04-11-2018
Solutions: 2

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

I dont have a DNS/domain provider as I need it for a home install, your steps are for more towards companies with websites/ DMZ domain contrallers etc.. 

Emerging Member
Posts: 50
Registered: ‎04-13-2017
Kudos: 14
Solutions: 1

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

[ Edited ]

Sounds like you just need a self-signed certificate, letsencrypt is really meant for DNS validated (automated or otherwise) based SSL certificates and I don't think what you need.

 

Follow the steps here up until you generate cert parts into a pem file. Copy this pem file (renamed server.pem) to the location mentioned in the earlier post, restart and you will be good to go.

 

However, the cert won't be trusted by your browser and will show an error. If you want a trusted SSL cert then you cannot avoid going down the DNS verification route somehow.

 

Happy to assist offline. Ping me.

Reply