Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
New Member
Posts: 8
Registered: ‎04-10-2017
Accepted Solution

UNMS Beta 0.11.0rc1 - Does not work with certificates SSL

Hello,

 

UNMS not work with certificat SSL, i use --ssl-cert-dir /etc/certificates --ssl-cert xxx.crt --ssl-cert-key xxx.ket --ssl-cert-ca xxx.pem to install SSL certificate, and application not start.


If I delete an installation certificate then it works fine.

 

I check alpha, beta1, beta2, rc1 and it does not work.

Version 0.10 and 0.9 works well.

 

Tanks

 

 


Accepted Solutions
Ubiquiti Employee
Posts: 316
Registered: ‎01-26-2017
Kudos: 82
Solutions: 32

Re: UNMS Beta 0.11.0rc1 - Does not work with certificates SSL

So apparently the SSL certificate config in Nginx is a bit different and it doesn't accept a separate CA file. It expects the full chain in the --ssl-cert file.

As a workaround:
- please drop the --ssl-cert-ca xxx.pem from installation arguments.
- If your xxx.crt file doesn't contain the full chain, you can create it
 cat xxx.crt xxx.pem > fullchain.pem
   and then specify --ssl-cert=fullchain.pem

I'll try to figure out a way to handle this in 0.11.0 without requiring users to change their certificates..

View solution in original post


All Replies
Ubiquiti Employee
Posts: 219
Registered: ‎09-08-2017
Kudos: 67
Solutions: 12

Re: UNMS Beta 0.11.0rc1 - Does not work with certificates SSL

@jckubiaczyk  Thank you for reporting this Jean-Christophe. I will try to replicate this issue on our systems and I will let you know what next.

New Member
Posts: 8
Registered: ‎04-10-2017

Re: UNMS Beta 0.11.0rc1 - Does not work with certificates SSL

If i using SSL Certificat

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS N AMES
addc750d9f55 unms_nginx "/entrypoint.sh ngin…" 13 seconds ago Restarting (1) 3 seconds ago u nms-nginx
6325038bfa43 ubnt/unms:0.11.0-rc1 "/usr/bin/dumb-init …" 15 seconds ago Up 13 seconds u nms
ca9de130f544 rabbitmq:3 "docker-entrypoint.s…" 16 seconds ago Up 14 seconds u nms-rabbitmq
5a0515e9c8d3 postgres:9.6.1-alpine "/docker-entrypoint.…" 16 seconds ago Up 14 seconds u nms-postgres
f4ebea1a7785 redis:3.2.8-alpine "docker-entrypoint.s…" 16 seconds ago Up 15 seconds u nms-redis
87992fb26c27 unms_fluentd "/entrypoint.sh /bin…" 17 seconds ago Up 16 seconds 5140/tcp, 127.0.0.1:24224->24224/tcp u nms-fluentd
UNMS is running

 

If I do not use SSL Certificat

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7bf4e7231ad9 unms_nginx "/entrypoint.sh ngin…" 4 seconds a go Up 3 seconds 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp unms-ngi nx
683362f2f3b9 ubnt/unms:0.11.0-rc1 "/usr/bin/dumb-init …" 5 seconds a go Up 4 seconds unms
f73c225fb58d postgres:9.6.1-alpine "/docker-entrypoint.…" 7 seconds a go Up 6 seconds unms-pos tgres
10661ba69f04 redis:3.2.8-alpine "docker-entrypoint.s…" 7 seconds a go Up 6 seconds unms-red is
e60fe8ec7a7f rabbitmq:3 "docker-entrypoint.s…" 7 seconds a go Up 6 seconds unms-rab bitmq
912618da11dc unms_fluentd "/entrypoint.sh /bin…" 8 seconds a go Up 7 seconds 5140/tcp, 127.0.0.1:24224->24224/tcp unms-flu entd
UNMS is running

Ubiquiti Employee
Posts: 316
Registered: ‎01-26-2017
Kudos: 82
Solutions: 32

Re: UNMS Beta 0.11.0rc1 - Does not work with certificates SSL

@jckubiaczyk please check the ~unms/data/logs/nginx.*.log file for related error messages

New Member
Posts: 8
Registered: ‎04-10-2017

Re: UNMS Beta 0.11.0rc1 - Does not work with certificates SSL

2017-12-05T13:00:31Z nginx {"source":"stdout","log":"Running entrypoint.sh","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:00:31Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Creating user unms with UID 1001"}
2017-12-05T13:00:31Z nginx {"source":"stdout","log":"Creating /www directory","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:00:31Z nginx {"container_name":"/unms-nginx","source":"stdout","log":"Creating Nginx config files","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab"}
2017-12-05T13:00:31Z nginx {"source":"stdout","log":"Running fill-template.sh /nginx.conf.template /etc/nginx/nginx.conf","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:00:31Z nginx {"source":"stdout","log":"Running fill-template.sh /combined.conf.template /etc/nginx/conf.d/combined.conf","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:00:31Z nginx {"container_name":"/unms-nginx","source":"stdout","log":"Will use custom SSL certificate","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab"}
2017-12-05T13:00:31Z nginx {"container_name":"/unms-nginx","source":"stdout","log":"Entrypoint finished","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab"}
2017-12-05T13:00:31Z nginx {"source":"stdout","log":"Calling exec nginx -g daemon off;","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:00:31Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stderr","log":"2017/12/05 13:00:31 [emerg] 7#7: unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11"}
2017-12-05T13:00:31Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stderr","log":"nginx: [emerg] unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11"}
2017-12-05T13:00:32Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Running entrypoint.sh"}
2017-12-05T13:00:32Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Will use custom SSL certificate"}
2017-12-05T13:00:32Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Entrypoint finished"}
2017-12-05T13:00:32Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Calling exec nginx -g daemon off;"}
2017-12-05T13:00:32Z nginx {"log":"2017/12/05 13:00:32 [emerg] 9#9: unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stderr"}
2017-12-05T13:00:32Z nginx {"source":"stderr","log":"nginx: [emerg] unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:00:33Z nginx {"container_name":"/unms-nginx","source":"stdout","log":"Running entrypoint.sh","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab"}
2017-12-05T13:00:33Z nginx {"source":"stdout","log":"Will use custom SSL certificate","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:00:33Z nginx {"source":"stdout","log":"Entrypoint finished","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:00:33Z nginx {"source":"stdout","log":"Calling exec nginx -g daemon off;","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:00:33Z nginx {"source":"stderr","log":"2017/12/05 13:00:33 [emerg] 6#6: unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:00:33Z nginx {"source":"stderr","log":"nginx: [emerg] unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:00:34Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Running entrypoint.sh"}
2017-12-05T13:00:34Z nginx {"container_name":"/unms-nginx","source":"stdout","log":"Will use custom SSL certificate","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab"}
2017-12-05T13:00:34Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Entrypoint finished"}
2017-12-05T13:00:34Z nginx {"container_name":"/unms-nginx","source":"stdout","log":"Calling exec nginx -g daemon off;","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab"}
2017-12-05T13:00:34Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stderr","log":"2017/12/05 13:00:34 [emerg] 7#7: unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11"}
2017-12-05T13:00:34Z nginx {"source":"stderr","log":"nginx: [emerg] unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:00:36Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Running entrypoint.sh"}
2017-12-05T13:00:36Z nginx {"container_name":"/unms-nginx","source":"stdout","log":"Will use custom SSL certificate","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab"}
2017-12-05T13:00:36Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Entrypoint finished"}
2017-12-05T13:00:36Z nginx {"source":"stdout","log":"Calling exec nginx -g daemon off;","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:00:36Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stderr","log":"2017/12/05 13:00:36 [emerg] 7#7: unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11"}
2017-12-05T13:00:36Z nginx {"log":"nginx: [emerg] unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stderr"}
2017-12-05T13:00:38Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Running entrypoint.sh"}
2017-12-05T13:00:38Z nginx {"log":"Will use custom SSL certificate","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout"}
2017-12-05T13:00:38Z nginx {"log":"Entrypoint finished","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout"}
2017-12-05T13:00:38Z nginx {"container_name":"/unms-nginx","source":"stdout","log":"Calling exec nginx -g daemon off;","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab"}
2017-12-05T13:00:38Z nginx {"source":"stderr","log":"2017/12/05 13:00:38 [emerg] 7#7: unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:00:38Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stderr","log":"nginx: [emerg] unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11"}
2017-12-05T13:00:42Z nginx {"log":"Running entrypoint.sh","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout"}
2017-12-05T13:00:42Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Will use custom SSL certificate"}
2017-12-05T13:00:42Z nginx {"log":"Entrypoint finished","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout"}
2017-12-05T13:00:42Z nginx {"source":"stdout","log":"Calling exec nginx -g daemon off;","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:00:42Z nginx {"source":"stderr","log":"2017/12/05 13:00:42 [emerg] 7#7: unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:00:42Z nginx {"container_name":"/unms-nginx","source":"stderr","log":"nginx: [emerg] unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab"}
2017-12-05T13:00:49Z nginx {"container_name":"/unms-nginx","source":"stdout","log":"Running entrypoint.sh","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab"}
2017-12-05T13:00:49Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Will use custom SSL certificate"}
2017-12-05T13:00:49Z nginx {"source":"stdout","log":"Entrypoint finished","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:00:49Z nginx {"log":"Calling exec nginx -g daemon off;","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout"}
2017-12-05T13:00:49Z nginx {"container_name":"/unms-nginx","source":"stderr","log":"2017/12/05 13:00:49 [emerg] 7#7: unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab"}
2017-12-05T13:00:49Z nginx {"container_name":"/unms-nginx","source":"stderr","log":"nginx: [emerg] unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab"}
2017-12-05T13:01:03Z nginx {"container_name":"/unms-nginx","source":"stdout","log":"Running entrypoint.sh","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab"}
2017-12-05T13:01:03Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Will use custom SSL certificate"}
2017-12-05T13:01:03Z nginx {"log":"Entrypoint finished","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout"}
2017-12-05T13:01:03Z nginx {"log":"Calling exec nginx -g daemon off;","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout"}
2017-12-05T13:01:03Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stderr","log":"2017/12/05 13:01:03 [emerg] 7#7: unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11"}
2017-12-05T13:01:03Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stderr","log":"nginx: [emerg] unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11"}
2017-12-05T13:01:29Z nginx {"container_name":"/unms-nginx","source":"stdout","log":"Running entrypoint.sh","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab"}
2017-12-05T13:01:29Z nginx {"source":"stdout","log":"Will use custom SSL certificate","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:01:29Z nginx {"source":"stdout","log":"Entrypoint finished","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:01:29Z nginx {"log":"Calling exec nginx -g daemon off;","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout"}
2017-12-05T13:01:29Z nginx {"log":"2017/12/05 13:01:29 [emerg] 7#7: unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stderr"}
2017-12-05T13:01:29Z nginx {"log":"nginx: [emerg] unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stderr"}
2017-12-05T13:02:21Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Running entrypoint.sh"}
2017-12-05T13:02:21Z nginx {"log":"Will use custom SSL certificate","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout"}
2017-12-05T13:02:21Z nginx {"log":"Entrypoint finished","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout"}
2017-12-05T13:02:21Z nginx {"source":"stdout","log":"Calling exec nginx -g daemon off;","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:02:21Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stderr","log":"2017/12/05 13:02:21 [emerg] 7#7: unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11"}
2017-12-05T13:02:21Z nginx {"log":"nginx: [emerg] unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stderr"}
2017-12-05T13:03:22Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Running entrypoint.sh"}
2017-12-05T13:03:22Z nginx {"container_name":"/unms-nginx","source":"stdout","log":"Will use custom SSL certificate","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab"}
2017-12-05T13:03:22Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Entrypoint finished"}
2017-12-05T13:03:22Z nginx {"log":"Calling exec nginx -g daemon off;","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout"}
2017-12-05T13:03:22Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stderr","log":"2017/12/05 13:03:22 [emerg] 7#7: unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11"}
2017-12-05T13:03:22Z nginx {"source":"stderr","log":"nginx: [emerg] unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}

New Member
Posts: 8
Registered: ‎04-10-2017

Re: UNMS Beta 0.11.0rc1 - Does not work with certificates SSL

2017-12-05T13:02:21Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Running entrypoint.sh"}
2017-12-05T13:02:21Z nginx {"log":"Will use custom SSL certificate","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout"}
2017-12-05T13:02:21Z nginx {"log":"Entrypoint finished","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout"}
2017-12-05T13:02:21Z nginx {"source":"stdout","log":"Calling exec nginx -g daemon off;","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}
2017-12-05T13:02:21Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stderr","log":"2017/12/05 13:02:21 [emerg] 7#7: unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11"}
2017-12-05T13:02:21Z nginx {"log":"nginx: [emerg] unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stderr"}
2017-12-05T13:03:22Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Running entrypoint.sh"}
2017-12-05T13:03:22Z nginx {"container_name":"/unms-nginx","source":"stdout","log":"Will use custom SSL certificate","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab"}
2017-12-05T13:03:22Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout","log":"Entrypoint finished"}
2017-12-05T13:03:22Z nginx {"log":"Calling exec nginx -g daemon off;","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stdout"}
2017-12-05T13:03:22Z nginx {"container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx","source":"stderr","log":"2017/12/05 13:03:22 [emerg] 7#7: unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11"}
2017-12-05T13:03:22Z nginx {"source":"stderr","log":"nginx: [emerg] unknown directive \"ssl_certificate_ca\" in /etc/nginx/conf.d/combined.conf:11","container_id":"1d5891c5e4cd9ea706fee63f0be35b7d7b06141ae4ea8b545e066b787cff2cab","container_name":"/unms-nginx"}

New Member
Posts: 8
Registered: ‎04-10-2017

Re: UNMS Beta 0.11.0rc1 - Does not work with certificates SSL

I have this error

 

{"source":"stderr","log":"nginx: [emerg] unknown directive \"ssl_certificate_ca\" in
Ubiquiti Employee
Posts: 316
Registered: ‎01-26-2017
Kudos: 82
Solutions: 32

Re: UNMS Beta 0.11.0rc1 - Does not work with certificates SSL

@jckubiaczyk thank you.. that looks like a bug on our side, I'll investigate

New Member
Posts: 8
Registered: ‎04-10-2017

Re: UNMS Beta 0.11.0rc1 - Does not work with certificates SSL

Thanks for the reply, the certificates have been copied to /home/unms/data/cert at me

Ubiquiti Employee
Posts: 316
Registered: ‎01-26-2017
Kudos: 82
Solutions: 32

Re: UNMS Beta 0.11.0rc1 - Does not work with certificates SSL

So apparently the SSL certificate config in Nginx is a bit different and it doesn't accept a separate CA file. It expects the full chain in the --ssl-cert file.

As a workaround:
- please drop the --ssl-cert-ca xxx.pem from installation arguments.
- If your xxx.crt file doesn't contain the full chain, you can create it
 cat xxx.crt xxx.pem > fullchain.pem
   and then specify --ssl-cert=fullchain.pem

I'll try to figure out a way to handle this in 0.11.0 without requiring users to change their certificates..

New Member
Posts: 8
Registered: ‎04-10-2017

Re: UNMS Beta 0.11.0rc1 - Does not work with certificates SSL

Tanks you, it's work correctly.

 

https unms.png

 

 

New Member
Posts: 9
Registered: ‎01-13-2017
Kudos: 6

Re: UNMS Beta 0.11.0rc1 - Does not work with certificates SSL

Ran into this as well, We'll wait to see if you come up with anything to let us keep the cert before trying to replace anything.

Member
Posts: 165
Registered: ‎06-02-2015
Kudos: 21
Solutions: 6

Re: UNMS Beta 0.11.0rc1 - Does not work with certificates SSL

[ Edited ]

I was using Lets Encrypt certificate while on 0.10.4. Then I upgraded manually and got a certificate issue.
Not sure how to proceed now, since I was not using a custom cert.

Connecting to localhost (localhost)|::1|:443... connected.
ERROR: The certificate of ‘localhost’ is not trusted.
ERROR: The certificate of ‘localhost’ hasn't got a known issuer.
The certificate's owner does not match hostname ‘localhost’

 

In the email I received a message from UNMS:

SSL certificate renewal failed. Please check Settings/UNMS and the nginx.*.log file for error messages. (6 Dec 2017 21:00)

Ubiquiti Employee
Posts: 219
Registered: ‎09-08-2017
Kudos: 67
Solutions: 12

Re: UNMS Beta 0.11.0rc1 - Does not work with certificates SSL

@sash11  Hello Oleksandr. I am sorry that you have issues with 0.11.0. In this version we introduced a reverse proxy Nginx which is communicationg with LetsEncrypt on port 80. Please make sure you have this port open.

During the manual upgrade did you by any chance used some "--ssl-cert" command? It may cause troubles as described here.

If you send me the nginx.*.log file I will forward it to developers to analyze and find the cause of your troubles.

 

 

Highlighted
Member
Posts: 165
Registered: ‎06-02-2015
Kudos: 21
Solutions: 6

Re: UNMS Beta 0.11.0rc1 - Does not work with certificates SSL

[ Edited ]

I ended up issuing Lets Encrypt certificate manually through DNS txt record check and reinstalling unms with this certificate. Now I can access the web gui without issues. At least this way I don't have to keep port 80 open from the internet)

Reply