01-26-2018 07:39 PM - edited 01-26-2018 07:42 PM
Ok, made progress..
But got to nginx -t test.... and bam... no nginx.. No nginx webserver.
I'm such a linux noob.
This is a basic debian box.
But doesn't Unifi install nginx?
Can I install nginx... I'll see.
ok. Installed nginx and tested...
Looks good so far.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
01-26-2018 07:45 PM - edited 01-26-2018 07:49 PM
Nginx is pre-installed-it just isn’t in the PATH to make it easier to access.
oops, that wasn’t it.
is what you’re looking for.
Actually, nginx -t worked fine for me on my cloudkey... So it is in the PATH...
01-26-2018 08:06 PM - edited 01-26-2018 08:07 PM
Aghhh, so I just reinstalled it...
So I think that's fine.
But, after it all. Still no green https.
I think I may have screwed up the permission on directory: /etc/ssl
I couldn't upload files from windows with wscp.
Got the "permisison error"..
So, went back with ssh to /etc/ssl directory and tried "chown "myname" /etc/ssl.
That allowed me to upload files.
But got this error when doing the "fix permission command:
chown: invalid group: ‘root:ssl-cert’
I know, I made a mess of it.
Back to the start.
01-26-2018 08:13 PM
Hrm, checking the permissions on mine shows:
root@unifi:~# ls -la /etc/ssl/private/
drwx--x--- 2 root ssl-cert 4096 Dec 29 00:30 .
drwxr-xr-x 6 root root 4096 Dec 1 15:13 ..
-rw-r--r-- 1 root root 20480 Dec 29 00:32 cert.tar
-rw-r--r-- 1 root root 1830 Dec 28 19:58 cloudkey.cer
-rw-r--r-- 1 root root 5307 Dec 29 00:32 cloudkey.crt
-rw-r--r-- 1 root root 1679 Dec 29 00:32 cloudkey.key
-rw-r----- 1 root ssl-cert 1704 Dec 1 16:37 ssl-cert-snakeoil.key
-rw------- 1 unifi ssl-cert 3846 Dec 29 00:32 unifi.keystore.jks
01-27-2018 06:53 AM
You benchtop linux test box probably doesn't have an ssl-cert group -- no big deal.
Since @troyfontaine is working with several of his files group owned by root you can substitute chown root.root and probably be fine
Sounds like you are getting close. Really cool you have a hotel setup working -- the solution I've done for outdoor campgrounds with airmax backhauls would work really well in a hotel too with wired backhauls. Since most big hotel chains already have whatever they have standardized on I though I could put together some really nice systems for independent smaller hotels w/o charging a fortune! The campgrounds have had great testimonials. People from all over mention how the campground wifi is better than what they have in their house LOL.
01-27-2018 02:12 PM
03-13-2018 02:42 PM
Really clear instructions, but this is not working for me - I've just tried it twice. I previously tried a YouTube video "Cloud Key UniFi SSL Certificate Installation" and that didn't work either.
Now the one thing is that because I tried to video first, I bought a PositiveSSL cert and not a RapidSSL cert, so as other on this thread have mentioned there is more than one authority in the "ca-bundle" file - 2 certs in here.
When I get to the step to check the keystore there are 3 keys - my signed key was the first one.
In Chrome I get:
Issued to: UBNT Router UI
Issued by: UBNT Router UI
So the default cert.
Looking in the nginx site config:
I am pointing at the correct cert:
(I did change these to try and do it the videos way)
I have restarted nginx and rebooted the box.
The only other thing is that when I tired it the ace.jar way, it moaned that there was ANOTHER cert required - addtrustexternalcaroot.crt - which I got from Comodo directly. I have tried having this at the end of the certs and just using the provided ca-bundle and neither works.
Any ideas what to try now?
03-15-2018 05:21 PM
Ok, so this is annoying me.
I have since flattened the network - CloudKey (controller), switch, AP and UAP and then followed two different ways of doing this, and with a LetsEncrypt cert grabbed from sslforfree.com as well as my original PositiveSSL cert. I can't get this to work at all. I successfully build the new jks store, but the CloudKey will not show my cert - it always shows the default UBNT Networks one in Chrome. My CloudKey is running 0.10.x latest firmware.
I have followed 3 tutorials and used a bash script - nothing works. If my jks is correct why does the CloudKey insist on showing the default cert in Chrome?
03-15-2018 09:20 PM - edited 03-15-2018 09:25 PM
The web UI (which uses nginx) doesn’t use the Java Keystore-it uses cloudkey.cer (and the script that checks the certificates uses cloudkey.crt)
So, you NEED to have:
and all of those in cert.tar
I’ve assembled my bash script that uses LE into a gist: https://gist.github.com/troyfontaine/b876edb2806fbbe2b860b20bc6675302
If you look at the process, you need ALL of those in the right place, and if you don’t have them in cert.tar on a reboot or upgrade it will wipe out your custom certificate.
03-16-2018 02:56 AM - edited 03-16-2018 02:58 AM
Thanks for responding. I'll give your script a go.
Me saying .jks, was really just a shorthand for 'generated the new files' (I was on my phone at the time), although I did think the that keystore might have more relevance than the other files.
As I say I have followed tutortials and SHOULD have therefore generated all the relevant files in the correct places - including CloudKey.*.
1. Tried this first, and bought a PositiveSSL cert:
2. Then this thread twice, being careful to backup the '/etc/ssl/private' each time.
3. Flattened the network, just in case I'd done something to the CloudKey/controller (upgraded to 0.10 at the same time)
4. Created a LetsEncrypt cert and tried this:
5. Tried this script - 'unifi_sh_import.sh' - with my LetsEncrypt script:
I'm a developer - although not Linux. Looking through the steps, they all do basically the same thing. The first one uses 'ace.jar' and the rest use openssl, but they all should achieve the same result. It's not like I'm getting errors! I have generated CSRs and installed on Windows quite a few times, but this is my first time Linux/nginx.
Anyway, will try your stuff and report back.
03-18-2018 06:46 AM - edited 03-18-2018 06:59 AM
Ok, I got some time to try this again and still no dice. I followed the details from this thread - page 1 - as all the scripts are variations on the theme and I wanted to validate each step. The main difference between guides is that some say to remove the symbolic link:
/usr/lib/unifi/keystore -> /etc/ssl/private/unifi.keystore.jks
And replace 'keystore' with the actual file. And others leave that alone and change the 'unifi.keystore.jks'.
After following the tutorial - no errors - and restarting nginx and unifi services I have the following files:
drwxr-xr-x 2 root root 4096 Mar 18 12:53 backup_2018-03-18/ -rw-r----- 1 root ssl-cert 20480 Mar 18 13:17 cert.tar -rw-r----- 1 root ssl-cert 5099 Mar 18 13:13 cloudkey.crt -rw-r----- 1 root ssl-cert 1703 Mar 18 12:55 cloudkey.key drwxr-xr-x 2 root root 4096 Mar 18 13:19 lets_encrypt/ -rw-r----- 1 root ssl-cert 3830 Mar 18 13:14 unifi.keystore.jks
backup_2018-03-18 = original files
lets_encrypt = a copy of what's here in case they were being overwritten on restart
The only thing I did that was differen is that when I cat'd the files I did:
cat signed.crt rapidssl.crt root.crt > cloudkey.crt
root.crt is "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt" - so my cloudkey.crt contains 3x certificates.
When I hit Chrome I get the usual:
I don't get it. How is it still serving this default certificate?
unifi folder is pointing to the correct keystore, and the files within '/etc/ssl/private' have been generated by me (i.e. not overridden on restart).
Oh and in Windows it seems my cloudkey.crt is valid:
Which in my mind suggests that something to do with restarting the device is ignoring my cert, rather than the cert being invalid.
03-18-2018 06:51 AM
You still need to copy cloudkey.crt and rename it to cloudkey.cer.
03-18-2018 07:06 AM - edited 03-18-2018 07:09 AM
Ok, just did that - copied cloudkey.crt -> cloudkey.cer and updated the tar to include that too. Still not working
cloudkey.cer == cloudkey.crt
03-18-2018 07:34 AM - edited 03-18-2018 07:56 AM
I just noticed that my unifi.keystore.jks file was 0 bytes. Regenerated it, deleted and recreated the 'cert.tar' and downloaded to Windows and looked inside using 7zip - still 0 bytes even though the file was 3830 bytes. In Windows I copied the downloaded jks file into the tar file, copied it back and restarted nginx/unifi again. Still not working, but is something mangling the tar file?
keytool -list -v -keystore unifi.keystore.jks
And the 3830 byte file appears valid.
Final post, unless anyone has other suggestions. My files/permissions now look like this:
My tar file looks like this:
So they match apart from root:644 vs ssl-cert:640. The JKS file appears valid.
I have no idea what to try now.
03-18-2018 07:40 AM - edited 03-18-2018 07:44 AM
Are you rebooting instead of just restarting nginx?
Are you actually putting the RapidSSL cert with the Let’s Encrypt cert?
This is what mine looks like with LE certs.
root@unifi:~# ls -la /etc/ssl/private total 48 drwx--x--- 2 root ssl-cert 4096 Feb 25 21:21 . drwxr-xr-x 6 root root 4096 Dec 1 15:13 .. -rw-r----- 1 root ssl-cert 20480 Feb 25 21:27 cert.tar -rw-r----- 1 root ssl-cert 3509 Feb 25 21:27 cloudkey.cer -rw-r----- 1 root ssl-cert 3509 Feb 25 21:27 cloudkey.crt -rw-r----- 1 root ssl-cert 1679 Feb 25 21:27 cloudkey.key -rw-r----- 1 root ssl-cert 1704 Dec 1 16:37 ssl-cert-snakeoil.key -rw-r----- 1 root ssl-cert 3871 Feb 25 21:27 unifi.keystore.jks
03-18-2018 08:01 AM - edited 03-18-2018 08:03 AM
I do this every time:
service unifi stop
/etc/init.d/nginx restart; /etc/init.d/unifi restart
Pardon my ignorance, but why would I put the RapidSSL cert in too? My certificate is Lets Encrypt - I only added my certificate, the intermediary certificate and the root certifcate for Lets Encrypt cat'd together (my cloudkey.crt/cer contains 3 certs). I do not have the 'ssl-cert-snakeoil.key' apart from in my backup folder.
03-18-2018 08:06 AM
You said you did:
cat signed.crt rapidssl.crt root.crt > cloudkey.crt
So I was a bit confused.
Try not restarting UniFi and simply restart nginx.
03-18-2018 08:26 AM - edited 03-18-2018 08:29 AM
Ah, yeah - sorry copying and pasting from the example on page 1. My certs had different names, but as I say in Windows the cloudkey.crt is correct with intermediary and root certs present.
This example says nothing about cloudkey.cer BTW - I was hoping that might be the key to what I was missing. Unless anyone has other suggestions I might have to give up on this for now. It's been a massive time sink and I have no idea how to debug the issue.
Fundamentally, why is it not picking up my changes properly when I restart nginx? Where is it getting the default cert from?
03-18-2018 09:15 AM
One last thing. When I hit:
It hits the USG, rather than the CloudKey. Is it my responsibility to forward 8443 and others to the CloudKey (192.168.1.2)?
When I use 192.168.1.2 I am routed automatically to 8443 on the CloudKey. It only just occured as the login screens are so similar.