Scheduled maintenance: Community will be offline Monday June 17th, 1:00 AM - 6:00 AM (PT)
Reply
New Member
Posts: 11
Registered: ‎05-20-2017
Kudos: 4

Re: Easy UBNT: Install, Update and Secure UBNT Software

[ Edited ]

Helo,

 

The script fails on line 2110 bescause the current cert has expired.

 

Do you want to (re)setup Let's Encrypt? (y/n, default n) y

Domain name to use (x):  x.y.z

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following matching certs:
  Certificate Name: x.y.z
    Domains: x.y.z
    Expiry Date: 2019-05-15 07:41:14+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/x.y.z/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/x.y.z/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


Let's Encrypt has been setup previously

Saving debug log to /var/log/letsencrypt/letsencrypt.log

WARNING: Let's Encrypt will verify your domain using HTTP (TCP port 80). This
script will automatically allow HTTP through the firewall on this machine only.
Please make sure firewalls external to this machine are set to allow HTTP.

easy-ubnt.sh: line 2110: EXPIRED: unbound variable
### Easy UBNT v0.6.3
##############################################################################

Cleaning up script, please wait...

Running apt-get autoremove --yes [ok]
Running apt-get autoclean --yes [ok]

find: ‘/etc/ssh/sshd_config.bak*’: No such file or directory
Done!

 

2110    if [[ "${days_to_renewal}" -ge 30 ]]; then
2111      if __eubnt_question_prompt "Do you want to force certificate renewal?" "return" "n"; then
2112        force_renewal="--force-renewal"
2113      fi

Haw can i resolve this, can you update the script so it doenst crash anymore if this happens?

Regular Member
Posts: 580
Registered: ‎01-28-2016
Kudos: 135
Solutions: 17

Re: Easy UBNT: Install, Update and Secure UBNT Software


@thegillimonster wrote:

Hey all,

 

Thanks for all your hard work, this is a really awesome idea and exactly what I was looking for.

 

Just installed on Ubuntu 18.04.2. The controller installed fine, but the firewall broke access to...everything. As soon as I disabled it everything came back up. I tried opening each port manually first via CLI but that didn't do anything.

 

Also, I'm a huge noob and I couldn't figure out how to set up lets encrypt...so I skipped it. It's something that I want to set up (I think) but I don't understand what the domain name request was for. It might be beneficial to some users to include some supernoob instructions for things, like a short sentence on what exactly we're enabling, why it's useful, and how to configure it for our system.. 


Thanks for the feedback! I'll include some more guidance on the Let's Encrypt setup. If you'd like, you can PM me your log file and we'll see if we can figure out the firewall issues.

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
Regular Member
Posts: 580
Registered: ‎01-28-2016
Kudos: 135
Solutions: 17

Re: Easy UBNT: Install, Update and Secure UBNT Software


@S0lutionS wrote:

Helo,

 

The script fails on line 2110 bescause the current cert has expired.

 

2110    if [[ "${days_to_renewal}" -ge 30 ]]; then
2111      if __eubnt_question_prompt "Do you want to force certificate renewal?" "return" "n"; then
2112        force_renewal="--force-renewal"
2113      fi

Haw can i resolve this, can you update the script so it doenst crash anymore if this happens?


 

Thanks for reporting this! I've pushed some fixes and changes to the dev branch on GitHub. Can you download the dev version and report back how it goes?

 

wget sprocket.link/eubntdev -O easy-ubnt.sh && sudo bash easy-ubnt.sh

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
New Member
Posts: 11
Registered: ‎05-20-2017
Kudos: 4

Re: Easy UBNT: Install, Update and Secure UBNT Software

Thanks, it updated correct now.

 

In the UFW i type 'any' for the ports, all connections closed...

Script didn't error, i ran it again and just typed '' nothing, enter, now it works.

Regular Member
Posts: 580
Registered: ‎01-28-2016
Kudos: 135
Solutions: 17

Re: Easy UBNT: Install, Update and Secure UBNT Software


@S0lutionS wrote:

Thanks, it updated correct now.

 

In the UFW i type 'any' for the ports, all connections closed...

Script didn't error, i ran it again and just typed '' nothing, enter, now it works.


Awesome feedback, thanks! I've pushed some fixes to the dev branch to handle that user input better in the UFW setup.

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
Regular Member
Posts: 580
Registered: ‎01-28-2016
Kudos: 135
Solutions: 17

Re: Easy UBNT: Install, Update and Secure UBNT Software

[ Edited ]

UPDATE: New release!

 

Notable improvements are better handling of UniFi Network in case it can't migrate data after an upgrade. Also the command line options have been improved. You can now manipulate most areas of the script if desired with command line switches. Example:

 

sudo bash easy-ubnt.sh -q -s skip -f off -i stable -p unifi-controller -d unifi.domain.com

The above would use quick mode to accept default answers to prompts (-q), skip the OpenSSH server setup (-s skip), disable UFW (-f off), install the latest stable version (-i stable) of UniFi Network (-p unifi-controller) and setup Let's Encrypt with the specified domain name (-d unifi.domain.com).

 

The README has been updated, along with the help output (-h). Let me know if you have questions or feedback. Thanks!

 

v0.6.4 - 2019-05-21

 

Added

  • Command line option to archive alerts (-c archive-alerts)
  • Command line options to skip UFW (-f skip) and OpenSSH (-s skip) setup
  • Function option to skip latest version checks when initializing UniFi Network variables
  • Checks for migration and error messages in the server log for UniFi Network

Changed

  • Script execution to better handle failed data migration during UniFi Network installation
  • System status page to only proceed automatically in quick mode
  • System status execution order, check DNS first

Improved

  • UniFi Network installer to better handle installation after failed data migration
  • Unset variable checks throughout
  • Verbiage throughout
  • Logging and verbose output
  • UFW setup
  • Command line options and help output (-h)

Fixed

  • Java SSL CA cert issues
  • Log file and SSH config backup cleanup on script exit
  • Unset variable during certbot setup (thanks @S0lutionS )
  • Input for adding hosts to firewall rules (thanks @S0lutionS )
  • Bug in SSH port change check
  • Install jq if needed
  • Bugs in UBNT version finder
UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
Regular Member
Posts: 580
Registered: ‎01-28-2016
Kudos: 135
Solutions: 17

Re: Easy UBNT: Install, Update and Secure UBNT Software

All,

 

I've pushed a new release, v0.6.5, with some small changes:

 

https://github.com/sprockteam/easy-ubnt/releases/tag/v0.6.5

 

 

Added

  • Command-line option to skip system checks, common fixes and updates (-z)
    • NOTE: This was -q skip in 0.6.4 but was reverted and -z was added instead

Changed

  • Startup check order

Fixed

  • Install net-tools if needed
  • Firewall command-line option to work with 'on' (-f on)
  • SSH command-line option to set port if specified

 

A quick example, if you just want to install UniFi Network 5.6.42, change the SSH port to 2222 and enable the firewall, you could do this:

 

sudo bash easy-ubnt.sh -aqz -p unifi-controller -i 5.6.42 -l skip -s 2222 -f on

 

I hope to turn my attention to the Let's Encrypt setup for the next release. :-)

 

Feedback is welcome as always. Thanks!

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
New Member
Posts: 4
Registered: ‎10-10-2018
Kudos: 2

Re: Easy UBNT: Install, Update and Secure UBNT Software

[ Edited ]

Spun up one of the $5pm Vultr VC2 instances (link) running Ubutnu 18.04 LTS this morning.

 

Used this script to install UniFi Controller, add the Lets Encrypt Cert and move 2 sites over the new VPS.

All worked perfectly thank you @SprockTech !! Couldn't have been easier, very happy with it.

Regular Member
Posts: 580
Registered: ‎01-28-2016
Kudos: 135
Solutions: 17

Re: Easy UBNT: Install, Update and Secure UBNT Software


@Mattyfaz wrote:

Spun up one of the $5pm Vultr VC2 instances (link) running Ubutnu 18.04 LTS this morning.

 

Used this script to install UniFi Controller, add the Lets Encrypt Cert and move 2 sites over the new VPS.

All worked perfectly thank you @SprockTech !! Couldn't have been easier, very happy with it.


Awesome, glad to hear it went well! Thanks for the feedback!

 

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
New Member
Posts: 4
Registered: ‎10-10-2018
Kudos: 2

Re: Easy UBNT: Install, Update and Secure UBNT Software

Hey @SprockTech 

 

Forgive me if I have done something wrong or this is not the place to ask.

Just figured it might be best to ask you since I think the script (LetsEncrypt) is meant to handle this.

 

Previously I had used your script to setup an instance on AWS Lightsail.

  • Domain (via Google Domains)
  • DNS changed to CloudFlare Name Servers
  • Cloudflare pointing at the Lightsail instance

All worked great, no certificate issues whatsoever.

 

Last week I used the script on a Vultr instance, same specs and OS as the AWS Lightsail instance.

  • Domain (via Google Domains)
  • Default Google DNS (no CloudFlare this time).
  • Pointing at the Vultr instance

However this instance has securty certificate warnings: https://i.imgur.com/APcznnb.png

 

Any ideas?

Regular Member
Posts: 580
Registered: ‎01-28-2016
Kudos: 135
Solutions: 17

Re: Easy UBNT: Install, Update and Secure UBNT Software


@Mattyfaz wrote:

Hey @SprockTech 

 

Forgive me if I have done something wrong or this is not the place to ask.

Just figured it might be best to ask you since I think the script (LetsEncrypt) is meant to handle this.

 

Previously I had used your script to setup an instance on AWS Lightsail.

  • Domain (via Google Domains)
  • DNS changed to CloudFlare Name Servers
  • Cloudflare pointing at the Lightsail instance

All worked great, no certificate issues whatsoever.

 

Last week I used the script on a Vultr instance, same specs and OS as the AWS Lightsail instance.

  • Domain (via Google Domains)
  • Default Google DNS (no CloudFlare this time).
  • Pointing at the Vultr instance

However this instance has securty certificate warnings: https://i.imgur.com/APcznnb.png

 

Any ideas?


@Mattyfaz,

 

Thanks for reaching out, I'll see if I can help. Can you run the following commands, put your domain in the letsencrypt path for the openssl command:

 

sudo service unifi restart
sudo keytool -list -keystore /usr/lib/unifi/data/keystore -storepass aircontrolenterprise 2>/dev/null | grep "fingerprint" | sed 's/.*(SHA1): //'
sudo openssl x509 -in /etc/letsencrypt/live/unifi.yourdomain.com/fullchain.pem -noout -sha1 -fingerprint 2>/dev/null | sed 's/.*=//'

The output from the keytool and openssl commands should be the same. Let me know, thanks!

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
New Member
Posts: 4
Registered: ‎10-10-2018
Kudos: 2

Re: Easy UBNT: Install, Update and Secure UBNT Software

[ Edited ]

@SprockTech wrote:
The output from the keytool and openssl commands should be the same. Let me know, thanks!

Sorry just saw you replied! (Didn't get the email notification for some reason).

 

The Keytool command responds with a value, however the Openssl command does not give any output response.

Is this something that can easily be corrected? Only thing I've done on this VPS aside from run the script here is install Fail2Ban.

 

Should I just run the script and try and do the LetsEncrypt steps again? (Assuming this won't affect any connected UniFi Devices).

 

Appreciate your help @SprockTech 

Regular Member
Posts: 580
Registered: ‎01-28-2016
Kudos: 135
Solutions: 17

Re: Easy UBNT: Install, Update and Secure UBNT Software


@Mattyfaz wrote:

@SprockTech wrote:
The output from the keytool and openssl commands should be the same. Let me know, thanks!

Sorry just saw you replied! (Didn't get the email notification for some reason).

 

The Keytool command responds with a value, however the Openssl command does not give any output response.

Is this something that can easily be corrected? Only thing I've done on this VPS aside from run the script here is install Fail2Ban.

 

Should I just run the script and try and do the LetsEncrypt steps again? (Assuming this won't affect any connected UniFi Devices).

 

Appreciate your help @SprockTech 


Yes, go ahead and run the script again. It sounds like certbot wasn't able to complete, make sure port 80 is open for the certbot validation to go through. Pay attention to that portion of the script and see if any errors show up.

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
New Member
Posts: 4
Registered: ‎10-10-2018
Kudos: 2

Re: Easy UBNT: Install, Update and Secure UBNT Software


@SprockTech wrote:

Yes, go ahead and run the script again. It sounds like certbot wasn't able to complete, make sure port 80 is open for the certbot validation to go through. Pay attention to that portion of the script and see if any errors show up.


Ran it once and no change, however then ran it again and it has now worked! Didn't do anything different as far as I can tell but glad it has sorted itself out Man Happy

 

One bit of feedback I did notice. When running the script and it got to the section asking me:

- Reinstall Controller vX.X.X

- (Some other option)

- Enter version number of Controller to install

 

None of those options applied, perhaps there should be a "skip" option there for those who just want the automated LetsEncrypt or UFW setup etc. Just a thought, obviously the main purpose of the script is to install the Controller so may be that's not needed and I was just an edge case!

 

Big thanks again @SprockTech !!

Reply