Reply
New Member
Posts: 8
Registered: ‎03-30-2016
Kudos: 24

Guide on how to change SSL certificate for HTTPS in Unifi NVR v3.2.0, March 2016

So I just set up a Unifi NVR for the first time, and I was trying to use a custom SSL certificate for the externally facing HTTPS service on port 7443. I did a bunch of searches on this forum, but found the instructions either obsolete from many years ago, different paths, or missing various steps available in other posts. I emailed support but they didn't have anything either. So I have put together a complete guide on how I got this to work, with every gotcha along the way, so that hopefully others will save the many hours I spent trying to get this working.

 

1. I used StartSSL.com and generated a new key according to their instructions. Domain name used will be nvr.example.com. I ran this command on my local OSX machine to generate the CSR, although you can do this on the NVR device itself if you need:

 

openssl req -newkey rsa:2048 -keyout nvr.example.com.key -out nvr.example.com.csr 

It will ask for a pass phrase here, I think you should use "ubiquiti". If you don't do it here, you can fix this up in step #8. Then you upload the CSR and they generate a response ZIP file containing the signed key.

2. Unzip the ApacheServer.zip which contains the file 2_nvr.example.com.crt ... upload the KEY and CRT files to /root/NVR-KEY/ on your NVR device using SSH.

3. Convert the certificate into PKCS12 format which is needed by the Java keytool - based on this guide http://blog.jgc.org/2011/06/importing-existing-ssl-keycertificate.html

openssl pkcs12 -export -out /root/NVR-KEY/certificate.pfx -inkey /root/NVR-KEY/nvr.example.com.key -in /root/NVR-KEY/2_nvr.example.com.crt 


4. Now make a backup of the old keystore file, and import the new certificate into the keystore. This is the only file you will be changing, so it is easy to go back if you mess something up: 

cp /srv/unifi-video/keystore /srv/unifi-video/keystore-backup
keytool -importkeystore -destkeystore /srv/unifi-video/keystore -deststorepass ubiquiti -srckeystore /root/NVR-KEY/certificate.pfx -srcstoretype PKCS12 


5. Now there are two keys present, and the new one is referred to as "1":

keytool -list -keystore /srv/unifi-video/keystore 

Your keystore contains 2 entries (airvision is the existing key, 1 is the new key)

airvision, Mar 26, 2016, PrivateKeyEntry, 
Certificate fingerprint (SHA1): <redacted> 
1, Mar 30, 2016, PrivateKeyEntry, 
Certificate fingerprint (SHA1): <redacted> 


6. You need to delete the existing airvision key:

keytool -delete -keystore /srv/unifi-video/keystore -storepass ubiquiti -alias airvision 


7. Now rename 1 to airvision:

keytool -changealias -keystore /srv/unifi-video/keystore -storepass ubiquiti -alias 1 -destalias airvision

 

8. At this point, I tried to reboot and noticed that my keystore was deleted and regenerated. I tried to protect the keystore file by changing the permissions so it was not writable, but then I got the following error:

1459398354.951 2016-03-30 21:25:54.951/PDT: ERROR  Unable to initialize keystores in main 
java.io.FileNotFoundException: /srv/unifi-video/keystore (Permission denied) 

I worked out that it nukes your keystore if the password is not set properly on the key that is imported (it probably nukes the keystore for any other problems too if you make a mistake). The solution is to rename the password that was used to create the key back in step #1. This password needs to be "ubiquiti" as well, and you can fix it with this command: 

keytool -keypasswd -alias airvision -keystore /srv/unifi-video/keystore 

 

9. Now is a good time to make a copy of the keystore file in case it is overwritten due to any mistakes. Now you can use the "reboot" command to restart the machine.

reboot

 

10. Modify your router to port forward the necessary ports to your NVR device: https://help.ubnt.com/hc/en-us/articles/204909454-UniFi-Video-Default-Ports-Used-by-the-NVR-Cameras-...

I think only ports 7443 and 7446 are needed, and supports both web browsers and the Android app.

 

11. Go to https://nvr.example.com:7443 and it seems to work ok with Chrome, although Firefox still gives me some certificate error but I think this is either a Firefox or StartSSL issue.

 

I hope this posting is helpful, and covers all the necessary steps. If anyone sees any mistakes or can suggest corrections I would be interested to discuss. I really wish Ubiquiti would build this into the web interface, or write an official article about how to do this - if Ubiquiti wants to take this posting and maintain it somewhere official, I would be very happy.

 

References:

https://community.ubnt.com/t5/UniFi-Video/Custom-SSL-certificate-on-NVR/m-p/1242513/highlight/true#M...

https://community.ubnt.com/t5/UniFi-Video/Custom-Certificate-for-Unifi-Video-Server/td-p/1042725

http://community.ubnt.com/t5/UniFi-Video/Nginx-Config/m-p/1250564#M38968

 

Ubiquiti Employee
Posts: 823
Registered: ‎02-05-2015
Kudos: 410
Solutions: 90

Re: Guide on how to change SSL certificate for HTTPS in Unifi NVR v3.2.0, March 2016

Thanks for posting! 

Regular Member
Posts: 517
Registered: ‎03-15-2015
Kudos: 135
Solutions: 4

Re: Guide on how to change SSL certificate for HTTPS in Unifi NVR v3.2.0, March 2016

Can you outline the advantage of performing this?

New Member
Posts: 8
Registered: ‎03-30-2016
Kudos: 24

Re: Guide on how to change SSL certificate for HTTPS in Unifi NVR v3.2.0, March 2016

@Ambul: if you use the standard certificate on the NVR, your Chrome browser will complain about the connection being insecure, since the hostname does not match the certificate. By getting a signed certificate, the browser can verify that the connection is legitimate. This ensures there are no man-in-the-middle attacks, protecting your login credentials, and is more secure. While you can manually add the certificate to each browser you connect from, you don't want to have to train unskilled users in doing this. So using a real certificate is a good idea, and lots of Unifi NVR owners have wanted to do this.

New Member
Posts: 24
Registered: ‎08-20-2015
Kudos: 8

Re: Guide on how to change SSL certificate for HTTPS in Unifi NVR v3.2.0, March 2016

Nice thanks a lot!

 

I used lets encrypt to get a free certificate! It also seems to work.

 

Install letsencrypt via git or apt 

 

I have apache2 running and set the default www to /var/www/html with the standalone site. 

sudo ./letsencrypt certonly --webroot -w /var/www/html -d nvr.exmaple.com

 

nvr.example.com must direct to your server and port 80 so open your firewall. 

 

you will then have your cert installed in 

/etc/letsencrypt/live/nvr.example.com

 

Fix it to a java based one 

 

openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_key.p12 -name airvision -CAfile chain.pem -caname root

 

set the password to ubiquiti

 

then backup your keystore

 

sudo cp /var/lib/unifi-video/keystore /var/lib/unifi-video/keystore-backup 

 

import keystore

sudo keytool -importkeystore -destkeystore /var/lib/unifi-video/keystore -deststorepass ubiquiti -srckeystore cert_and_key.p12 -srcstoretype PKCS12

 

use ubiquiti as source password.

 

this will say. 

 

Existing entry alias airvision exists, overwrite? [no]: yes
Entry for alias airvision successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

 

So just overwrite it and you will be good. 

Reboot and test it out! 

 

 

New Member
Posts: 8
Registered: ‎03-30-2016
Kudos: 24

Re: Guide on how to change SSL certificate for HTTPS in Unifi NVR v3.2.0, March 2016

@Haggan: what version are you running? The /var/lib/unifi-video paths do not exist on the system I am running.

New Member
Posts: 24
Registered: ‎08-20-2015
Kudos: 8

Re: Guide on how to change SSL certificate for HTTPS in Unifi NVR v3.2.0, March 2016

Ubuntu 16.4  and Unifivideo 3.2.0

 

Just change to what ever you find unifivideo keystore and I hope it will work. 

Established Member
Posts: 2,076
Registered: ‎03-11-2014
Kudos: 593
Solutions: 96

Re: Guide on how to change SSL certificate for HTTPS in Unifi NVR v3.2.0, March 2016

After doing this I now get a live view error saying port 7446 is not open.

 

Everything else went great.  Any idea besides portforwarding as to what would cause this?  Are there two places we need to put the new cert?

New Member
Posts: 14
Registered: ‎04-25-2016
Kudos: 18
Solutions: 1

Re: Guide on how to change SSL certificate for HTTPS in Unifi NVR v3.2.0, March 2016

Step 11:  the problem you get with Firefox is because you are missing the intermediate certs for StartSSL.

 

I'm not sure what the correct way to solve the problem here is.  My guess is that you need to append the Intermediate certs to the cert you receieve from StartSSL.

 

From memory (aka, untested), I would add the following:

 

Step 1A: Download the Intermediate Certs from https://startssl.com/root.  Most likely, you'll want the Intermediate SSL Class 1 PEM cert.

 

Step 2A: Concatenate the .crts:

cat 2_nvr.example.com.crt sca.server1.crt >> bundle.crt 

Step 3:  Change the command as follows:

openssl pkcs12 -export -out /root/NVR-KEY/certificate.pfx -inkey /root/NVR-KEY/nvr.example.com.key -in /root/NVR-KEY/bundle.crt 

Again, I don't know if this will work, but I'm pretty sure this will at least get you going in the right direction.

Established Member
Posts: 1,073
Registered: ‎04-07-2013
Kudos: 490
Solutions: 39

Re: Guide on how to change SSL certificate for HTTPS in Unifi NVR v3.2.0, March 2016

 


dtraub wrote:

After doing this I now get a live view error saying port 7446 is not open.

 

Everything else went great.  Any idea besides portforwarding as to what would cause this?  Are there two places we need to put the new cert?


I am seeing the same. Where you able to resolve this?

Member
Posts: 164
Registered: ‎10-31-2008
Kudos: 23
Solutions: 2

Re: Guide on how to change SSL certificate for HTTPS in Unifi NVR v3.2.0, March 2016


vbman213 wrote:

 


dtraub wrote:

After doing this I now get a live view error saying port 7446 is not open.

 

Everything else went great.  Any idea besides portforwarding as to what would cause this?  Are there two places we need to put the new cert?


I am seeing the same. Where you able to resolve this?


If you run step 5 after you are done, you should only have one entry (it should be called airvision).

Philip Dorr
KD0IXY
Member
Posts: 123
Registered: ‎09-09-2013
Kudos: 5
Solutions: 2

Re: Guide on how to change SSL certificate for HTTPS in Unifi NVR v3.2.0, March 2016

[ Edited ]

I recently ordered a Wildcard cert GoDaddy.com and generated the CSR for it using OS X Server.  I have a few questions:

1. What "Server Type" should I download the certificate files for to use on a UVC NVR?

Screen Shot 2016-06-01 at 1.59.46 PM.png

2. There are only two downloaded files, both .crt files. Do I still need to concatenate them?

Emerging Member
Posts: 74
Registered: ‎12-08-2015
Kudos: 37
Solutions: 1

Re: Guide on how to change SSL certificate for HTTPS in Unifi NVR v3.2.0, March 2016

[ Edited ]

Using Lets Encrypt is easy as. and Free!

 

Install Certbot

cd /opt
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto

Request your certificate with :-

/opt/certbot-auto certonly -d my.fqdn.com --standalone --standalone-supported-challenges http-01

Test installation with unifi-video:-

service unifi-video stop
echo ubiquiti | openssl pkcs12 -export -inkey /etc/letsencrypt/live/my.fqdn.com/privkey.pem -in /etc/letsencrypt/live/my.fqdn.com/cert.pem -name airvision -out /usr/lib/unifi-video/data/keys.p12 -password stdin
echo y | keytool -importkeystore -srckeystore /etc/letsencrypt/live/my.fqdn.com/keys.p12 -srcstoretype pkcs12 -destkeystore /usr/lib/unifi-video/data/keystore -storepass ubiquiti -srcstorepass ubiquiti
service unifi-video start

Create a script + cron job to automate renewals

/opt/unifivideorenewal.sh

#!/bin.sh
/opt/certbot-auto renew --standalone --standalone-supported-challenges http-01
service unifi-video stop
echo ubiquiti | openssl pkcs12 -export -inkey /etc/letsencrypt/live/my.fqdn.com/privkey.pem -in /etc/letsencrypt/live/my.fqdn.com/cert.pem -name airvision -out /usr/lib/my.fqdn.com/data/keys.p12 -password stdin
echo y | keytool -importkeystore -srckeystore /etc/letsencrypt/live/my.fqdn.com/keys.p12 -srcstoretype pkcs12 -destkeystore /usr/lib/unifi-video/data/keystore -storepass ubiquiti -srcstorepass ubiquiti
service unifi-video start

Crontab the script to run every 30 or so days.

 

I also run nginx to redirect all requests on port 80/443 into the unifi-video 7443.

it also uses the LE certificates from the live folder

Running it as a proxy was not good enough in the time i had to make it work.

 

 

New Member
Posts: 2
Registered: ‎03-14-2016
Kudos: 1

This is outstanding - a couple of additions that helped me.

Thanks for this guide - it worked for me.  Mostly.

 

On one of my NVRs (but not the other), there was also a "slave" key.  You have to delete that from the keystore as well.

 

Also, some things I did when troubleshooting:

 

I renamed the truststore file in /srv/unifi-video to truststore.old to allow it to regenerate.  Don't know if this had any effect.

 

Lastly, I had make a backup of the keystore as you suggested and then restored it when something didn't work.  This had the effect of changing the owner of the keystore file to root:root.  I changed it back (chown unifi-video:unifi-video ./keystore) so that there wouldn't be permissions problems.

 

One thing I would like to do is find a way to change the port 80 redirect.  Right now, if you go to the domain name I have set for the NVR (nvr.example.com) at port 80, you get the click to login screen.  If I click to log in, then it references the ip address (192.168.1.2) instead of the domain name nvr.example.com.  This gives me two problems.  First, it invalidates the whole process of installing the certificate, as the certificate validates *.example.com and not the ip address.  Secondly, that's the internal IP address and not the external address that I have set up, which takes care of accessing things from outside.

 

Any thoughts?

 

Thanks again for the writeup on this - really helped.

Member
Posts: 164
Registered: ‎10-31-2008
Kudos: 23
Solutions: 2

Re: This is outstanding - a couple of additions that helped me.


mthoreb wrote:

 

One thing I would like to do is find a way to change the port 80 redirect.  Right now, if you go to the domain name I have set for the NVR (nvr.example.com) at port 80, you get the click to login screen.  If I click to log in, then it references the ip address (192.168.1.2) instead of the domain name nvr.example.com.  This gives me two problems.  First, it invalidates the whole process of installing the certificate, as the certificate validates *.example.com and not the ip address.  Secondly, that's the internal IP address and not the external address that I have set up, which takes care of accessing things from outside.

 

Any thoughts?


I changed that on my NVR over a year ago, soI am not exactly sure what the original file looked like.  I edited "/usr/share/nvr-webui/www/index.php" and near the top have "$c_host" set to "$_SERVER['HTTP_HOST']"

Philip Dorr
KD0IXY
Emerging Member
Posts: 74
Registered: ‎12-08-2015
Kudos: 37
Solutions: 1

Re: This is outstanding - a couple of additions that helped me.

i use nginx, uses the same Lets Encrypt SSL thats embedded into UniFi Video

cat /etc/nginx/sites-enabled/default

server {
        listen 80;
        listen [::]:80;
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        root /var/www/html;

        ssl_certificate /etc/letsencrypt/live/my.fqdn.com/cert.pem;
        ssl_certificate_key /etc/letsencrypt/live/my.fqdn.com/privkey.pem;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;

        index index.html index.htm index.nginx-debian.html;

        server_name my.fqdn.com;
        location / {
                return 301 https://my.fqdn.com:7443$request_uri;
        }
New Member
Posts: 2
Registered: ‎03-14-2016
Kudos: 1

Re: Guide on how to change SSL certificate for HTTPS in Unifi NVR v3.2.0, March 2016

Just that simple.  I knew I was overthinking that.  Thanks to both of you.

Emerging Member
Posts: 51
Registered: ‎11-28-2013
Kudos: 1

Re: Guide on how to change SSL certificate for HTTPS in Unifi NVR v3.2.0, March 2016

I really want to get this working, but when I finished all the steps my certificate store is back as it was in the first place.

 

What can I do to fix that?

Emerging Member
Posts: 74
Registered: ‎12-08-2015
Kudos: 37
Solutions: 1

Re: Guide on how to change SSL certificate for HTTPS in Unifi NVR v3.2.0, March 2016

If you dont complete the change correctly then unifi-video will truncate your keystore and recreate it anew

 

What SSL certificate are you trying to apply to it?

 

 

Emerging Member
Posts: 51
Registered: ‎11-28-2013
Kudos: 1

Re: Guide on how to change SSL certificate for HTTPS in Unifi NVR v3.2.0, March 2016

I did all the steps again last night and now it works, funny enough.

 

I really think that this is something that shouldnt be so hard.

Reply