Reply
Member
Posts: 147
Registered: ‎09-11-2010
Kudos: 10
Accepted Solution

Edgerouter to unms - lws_ssl_client_connect2 failed

[ Edited ]

Hello,

 

I'm getting this error on all my edgerouters i'm trying to connect to the unms controller.

 

I have my own server.pem certificate with both public and privatre key, and when i access via https its trusted.

 

The time is also correct in both ends.

 

I can ping the unms controller from the outside via dns name.

 

error:

2017-07-26 08:49:02 INFO  connecting to unms.domain.dk:443
2017-07-26 08:49:02 ERROR connection error (unms.domain.dk:443): lws_ssl_client_connect2 failed

Any good ideas?


Accepted Solutions
Ubiquiti Employee
Posts: 615
Registered: ‎05-24-2016
Kudos: 403
Solutions: 82

Re: Edgerouter to unms - lws_ssl_client_connect2 failed

@infolink

Hi, thank you for your bugreport. Your device UNMS connector doesn't trust your UNMS certificate. Could you please check:

  • your certificate is valid for UNMS domain: unms.domain.dk (your certificate common name has to be unms.domain.dk or *.domain.dk)
  • your UNMS certificate has to be signed by trusted certificate authority. If it's self signed certificate or certificate signed by untrusted certificate authority your UNMS key has to include +allowSelfSignedCertificate. You can change it in SETTINGS->UNMS->ADVANCED SETTINGS->Allow self signed certificate. Then you can use new UNMS key and reconnect your devices to UNMS.
  • check that your UNMS is running on port 443. So you don't have reverse proxy or custom inform port. If you have them please check wiki links.

View solution in original post


All Replies
Ubiquiti Employee
Posts: 615
Registered: ‎05-24-2016
Kudos: 403
Solutions: 82

Re: Edgerouter to unms - lws_ssl_client_connect2 failed

@infolink

Hi, thank you for your bugreport. Your device UNMS connector doesn't trust your UNMS certificate. Could you please check:

  • your certificate is valid for UNMS domain: unms.domain.dk (your certificate common name has to be unms.domain.dk or *.domain.dk)
  • your UNMS certificate has to be signed by trusted certificate authority. If it's self signed certificate or certificate signed by untrusted certificate authority your UNMS key has to include +allowSelfSignedCertificate. You can change it in SETTINGS->UNMS->ADVANCED SETTINGS->Allow self signed certificate. Then you can use new UNMS key and reconnect your devices to UNMS.
  • check that your UNMS is running on port 443. So you don't have reverse proxy or custom inform port. If you have them please check wiki links.
New Member
Posts: 22
Registered: ‎05-12-2016
Kudos: 3
Solutions: 1

Re: Edgerouter to unms - lws_ssl_client_connect2 failed

I'm having the exact same issue. My certificate is valid for my unms domain. All browsers show it as a valid NONE self signed cert. I've used Let's Encrypt to generate the certificate for my domain.

I've also tried to change the Allow Self Signed cert just to see if that would help but it doesn't.

I'm running it behing nginx reverse proxy on port 443.

I installed using this bash command:

sudo bash /tmp/unms_install.sh --behind-reverse-proxy --public-https-port 443 --http-port 28080 --https-port 28443
Member
Posts: 147
Registered: ‎09-11-2010
Kudos: 10

Re: Edgerouter to unms - lws_ssl_client_connect2 failed

@UBNT-Jindrich

Thansk for replying so fast.

 

 

I found out the certificate was wrong, so i fixed this but still got the same error.

 

Had to run this command to set the port to 443 even though i'm pretty sure i didn't change it, but it works now so who knows Man Happy

sudo bash /tmp/unms_install.sh --http-port 80 --https-port 443

 Thanks again.

New Member
Posts: 17
Registered: ‎08-25-2016
Kudos: 1
Solutions: 1

Re: Edgerouter to unms - lws_ssl_client_connect2 failed

[ Edited ]

Exactly the same happened when I switches cert from the snakeoil to a self-signed (by our own CA).

When first installed, UNMS was using snakeoil certs, and found, and connected to the EdgeRouters.

However, when changing the certs to our own, problems arose.

 

When curl'ing the unms hostname and port (from the EdgeRouter), curl said SSL errors.

 

It was resolved by adding our CA's cert to the EdgeRouters ca bundle:

copying the .crt to /usr/share/ca-certificates/extra

and then adding the full file with path to /etc/ca-certificates.conf

then running update-ca-certificates

 

Then I could run curl, which gave no errors.

 

In the UNMS Admin, I found the devices, and selected Refresh, and confirm.

 

And then, as expected, the error in /var/log/unms.log was replaced by a 

2017-12-28 19:10:37 INFO udapi-bridge ubnt/0.0.7
2017-12-28 19:10:37 INFO connecting to xxx:443
2017-12-28 19:10:37 INFO connection established

 

Also (unrelated to the EdgeRouter), we had to delete the HSTS from Chrome, to not have it think we were MITM'ing with our new (non-snakeoil) cert.

Reply