Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×

Official Lets Encrypt Support for HTTPS

Submitted by -
Status: Accepted

Rather than self-signed certs, web-exposed controllers should have the ability to grab and automatically maintain a Let's Encrypt cert as a one-click solution.

 

Forum thread: http://community.ubnt.com/t5/UniFi-Wireless/Lets-Encrypt-and-UniFi-controller/m-p/1406670#M131139

Comments
by
on ‎02-02-2016 11:18 AM
Agreed, but LetsEncrypt is still beta so I suppose waiting until final is a good idea.
by
on ‎02-16-2016 01:37 AM
My 2c on this, the usual way of verifying via Lets Encrypt is via a http request, which would be a terrible idea on a router. There is a newer verification method DNS-01 which allows a DNS TXT record to be used to verify instead, but it is not supported by the default client. https://github.com/lukas2511/letsencrypt.sh is an alternative client with very minimal dependencies (I'm pretty sure all dependencies are already met on an EdgeRouter) which supports DNS-01 challenges. The problem with DNS-01 challenges is it needs to be able to dynamically update ones dns records, which will vary depending on DNS provider, nsupdate might be a good one to support out of the box (there's also an example script for it), but it likely would require the ability to set a custom hook script to implement provider-specific functionality. Lets Encrypt also requires setting of an intermediate CA in lighttpd as well (although this is trivial).
by
on ‎02-16-2016 11:22 PM

I'd like to see any sort of certificate management inside of the controller at all.  Keytool is a pain to use and I'm not looking forward to messing with it again next year when I update my wildcard cert across all my servers.

by
‎05-07-2016 10:46 AM - edited ‎05-07-2016 10:48 AM

Im not against this, but imho this is pseudo-security. Publicly trusted certificates are required to make the sites look trustworthy for foreign visitors -which isn't required for private infrastructure. Within a company the correct way of using certificates is to use your own CA. In a Windows environment the DC will provide exactly that service and the root-CA-cert will be distributed to all AD members automatically. Alternatively and on non-windows infrastructure use easy-rsa and import the root certificate on your machines. Importing that root-CA-cert is like a once-in-lifetime action for every device.

 

let's encrypt is a nice service, but honestly I wouldn't rely on it. At least not yet. Reason being: they penetrate the certificate market. If they make the slightest mistake -or get hacked- Comodo, Thawte, VeriSign,... will be after them. Their CA will be removed from browsers and system quicker than it got in there and then you may have machines running with revoked certificates, which is worse than private certificates. Of course that can happen to every public CA, but for LE there's more public pressure.

 

Just my 2 cents...

by
on ‎05-07-2016 10:53 PM
Not everyone is running their own PKI, and distributing custom root CA's to a bunch of devices can actually reduce overall security as a CA compromise now lets you compromise the security of any device that the private root CA is installed on. If you're running a half dozen devices, Lets Encrypt is a much better option than running your own private PKI and installing a private trusted root CA cert on all your devices (which quite possibly outnumber the number of devices you are looking at installing certs on even!)
by
on ‎05-08-2016 01:10 AM

In addition, private PKI doesn't help you when you don't manage all the devices that access UniFi.  I run a lot of different businesses hotels from a single UniFi cloud server and each business owner has access to their own site(s).  So far I've only had to renew the cert once (I use sslmate since I have a wildcard cert for my domain).  If I could just "set and forget" - either via builtin shell support for replacing the cert from Ubiquiti or builtin Let's Encrypt support via the web UI or something, that would be splendid.

 

Barring that, I'll see if I can't whip up a shell script that will work with most default (Debian-based) Linux installs sometime.  I don't mind doing it by hand since it's once per year, but if I can automate it and help out the rest of the community all the better.

by
on ‎05-08-2016 02:33 PM

+1 This.

I do the exact same thing and have client businesses, schools, motels and tourist parks connecting back to a unifi controller.

I found a script already made to work with unifi by a dude on reddit.  The link is here:

https://www.reddit.com/r/Ubiquiti/comments/43v23u/using_letsencrypt_with_the_unifi_controller/

 

I also use a vpn product called pritunl, and to my surprise letsencrypt support was baked into the gui...just typed in the hostname of the server and clicked apply - it did the rest!

 

This would be seriously great so customers who go to hotspot manager aren't hit up with a security warning unless the painful process of buying and applying certificates is followed!

by
on ‎05-31-2016 02:58 PM

My Synology supports this and is perfect example of the right implementation.  Exactly the same on the USG and Cloud Key would be great.

by
on ‎06-16-2016 06:20 AM

Make it so!

by
on ‎06-19-2016 02:12 PM

+1 Support! Can't Wait. Man Very Happy