Reply
Member
Posts: 108
Registered: ‎11-12-2013
Kudos: 10
Solutions: 1

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

[ Edited ]

Ok, made progress.. 

But got to nginx -t test.... and bam... no nginx.. No nginx webserver.

I'm such a  linux noob.

This is a basic debian box.

But doesn't Unifi install nginx? 

Can I install nginx... I'll see. 

ok. Installed nginx and tested...

Looks good so far.

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Emerging Member
Posts: 47
Registered: ‎12-01-2017
Kudos: 7
Solutions: 1

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

[ Edited ]

Nginx is pre-installed-it just isn’t in the PATH to make it easier to access.

 

oops, that wasn’t it.

 

/usr/sbin/nginx -t

 

is what you’re looking for.

 

Actually, nginx -t worked fine for me on my cloudkey...  So it is in the PATH...

USG 3P | US-8-60W | UAP-AC-PRO | UCK 1st Gen | Netgear GS110TP | A smattering of unmanaged switches
Unifi SDN 5.9.26 | UAP/USW 3.9.54.9373 | USG 4.4.28.5102846 | DPI: enabled | IDS: disabled | Speedtest: disabled | 1 VLAN | 2 LAN
Member
Posts: 108
Registered: ‎11-12-2013
Kudos: 10
Solutions: 1

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

[ Edited ]

Aghhh, so I just reinstalled it...

So I think that's fine.

But, after it all. Still no green https.

 

I think I may have screwed up the permission on directory: /etc/ssl

I couldn't upload files from windows with wscp.

Got the "permisison error"..

 

So, went back with ssh to /etc/ssl directory and tried "chown "myname" /etc/ssl.

 

That allowed me to upload files. 

But got this error when doing the "fix permission command:

chown: invalid group: ‘root:ssl-cert’

 

I know, I made a mess of it.

Back to the start.

 

 

Emerging Member
Posts: 47
Registered: ‎12-01-2017
Kudos: 7
Solutions: 1

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

Hrm, checking the permissions on mine shows:

 

root@unifi:~# ls -la /etc/ssl/private/
total 52
drwx--x--- 2 root ssl-cert 4096 Dec 29 00:30 .
drwxr-xr-x 6 root root 4096 Dec 1 15:13 ..
-rw-r--r-- 1 root root 20480 Dec 29 00:32 cert.tar
-rw-r--r-- 1 root root 1830 Dec 28 19:58 cloudkey.cer
-rw-r--r-- 1 root root 5307 Dec 29 00:32 cloudkey.crt
-rw-r--r-- 1 root root 1679 Dec 29 00:32 cloudkey.key
-rw-r----- 1 root ssl-cert 1704 Dec 1 16:37 ssl-cert-snakeoil.key
-rw------- 1 unifi ssl-cert 3846 Dec 29 00:32 unifi.keystore.jks

USG 3P | US-8-60W | UAP-AC-PRO | UCK 1st Gen | Netgear GS110TP | A smattering of unmanaged switches
Unifi SDN 5.9.26 | UAP/USW 3.9.54.9373 | USG 4.4.28.5102846 | DPI: enabled | IDS: disabled | Speedtest: disabled | 1 VLAN | 2 LAN
Regular Member
Posts: 327
Registered: ‎05-24-2017
Kudos: 108
Solutions: 9

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

You benchtop linux test box probably doesn't have an ssl-cert group -- no big deal.

Since @troyfontaine is working with several of his files group owned by root you can substitute chown root.root and probably be fine

 

Sounds like you are getting close.  Really cool you have a hotel setup working -- the solution I've done for outdoor campgrounds with airmax backhauls would work really well in a hotel too with wired backhauls.  Since most big hotel chains already have whatever they have standardized on I though I could put together some really nice systems for independent smaller hotels w/o charging a fortune!  The campgrounds have had great testimonials.  People from all over mention how the campground wifi is better than what they have in their house LOL.

 

Member
Posts: 108
Registered: ‎11-12-2013
Kudos: 10
Solutions: 1

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

YES, @firefi thanks to you and @troyfontaine I got it! Troy just helped me wrap it up.

And yep, these smaller independant hotel's are a HUGE market.

They love the Unifi Mesh I installed, guests and the owners couldn't be happier.

 

 

 

New Member
Posts: 10
Registered: ‎03-10-2018

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

Hi all,

 

Really clear instructions, but this is not working for me - I've just tried it twice. I previously tried a YouTube video "Cloud Key UniFi SSL Certificate Installation" and that didn't work either.

 

Now the one thing is that because I tried to video first, I bought a PositiveSSL cert and not a RapidSSL cert, so as other on this thread have mentioned there is more than one authority in the "ca-bundle" file - 2 certs in here.

 

When I get to the step to check the keystore there are 3 keys - my signed key was the first one.

 

In Chrome I get:

 

Issued to: UBNT Router UI

Issued by: UBNT Router UI

 

So the default cert.

 

Looking in the nginx site config:

 

/etc/nginx/sites-enabled/cloudkey-webui

 

I am pointing at the correct cert:

 

ssl_certificate /etc/ssl/private/cloudkey.crt;
ssl_certificate_key /etc/ssl/private/cloudkey.key;

 

(I did change these to try and do it the videos way)

 

I have restarted nginx and rebooted the box.

 

The only other thing is that when I tired it the ace.jar way, it moaned that there was ANOTHER cert required - addtrustexternalcaroot.crt - which I got from Comodo directly. I have tried having this at the end of the certs and just using the provided ca-bundle and neither works.

 

Any ideas what to try now?

 

Thanks,

 

Michael Taylor

New Member
Posts: 10
Registered: ‎03-10-2018

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

Ok, so this is annoying me.

 

I have since flattened the network - CloudKey (controller), switch, AP and UAP and then followed two different ways of doing this, and with a LetsEncrypt cert grabbed from sslforfree.com as well as my original PositiveSSL cert. I can't get this to work at all. I successfully build the new jks store, but the CloudKey will not show my cert - it always shows the default UBNT Networks one in Chrome. My CloudKey is running 0.10.x latest firmware.

 

I have followed 3 tutorials and used a bash script - nothing works. If my jks is correct why does the CloudKey insist on showing the default cert in Chrome?

 

Anyone?

 

Thanks,

 

Michael

Emerging Member
Posts: 47
Registered: ‎12-01-2017
Kudos: 7
Solutions: 1

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

[ Edited ]

The web UI (which uses nginx) doesn’t use the Java Keystore-it uses cloudkey.cer (and the script that checks the certificates uses cloudkey.crt)

 

So, you NEED to have:

cloudkey.key

cloudkey.crt

cloudkey.cer

unifi.keystore.jks

and all of those in cert.tar

 

I’ve assembled my bash script that uses LE into a gist: https://gist.github.com/troyfontaine/b876edb2806fbbe2b860b20bc6675302

 

If you look at the process, you need ALL of those in the right place, and if you don’t have them in cert.tar on a reboot or upgrade it will wipe out your custom certificate.

USG 3P | US-8-60W | UAP-AC-PRO | UCK 1st Gen | Netgear GS110TP | A smattering of unmanaged switches
Unifi SDN 5.9.26 | UAP/USW 3.9.54.9373 | USG 4.4.28.5102846 | DPI: enabled | IDS: disabled | Speedtest: disabled | 1 VLAN | 2 LAN
New Member
Posts: 10
Registered: ‎03-10-2018

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

[ Edited ]

Thanks for responding. I'll give your script a go.

 

Me saying .jks, was really just a shorthand for 'generated the new files' (I was on my phone at the time), although I did think the that keystore might have more relevance than the other files.

 

As I say I have followed tutortials and SHOULD have therefore generated all the relevant files in the correct places - including CloudKey.*.

 

1. Tried this first, and bought a PositiveSSL cert:

 

https://www.youtube.com/watch?v=B7lU8ilKPio

 

2. Then this thread twice, being careful to backup the '/etc/ssl/private' each time.

3. Flattened the network, just in case I'd done something to the CloudKey/controller (upgraded to 0.10 at the same time)

4. Created a LetsEncrypt cert and tried this:

 

https://scotthelme.co.uk/setting-up-https-on-the-unifi-cloudkey/

 

5. Tried this script - 'unifi_sh_import.sh' - with my LetsEncrypt script:

 

https://www.stevejenkins.com/blog/2016/06/use-existing-ssl-certificate-linux-unifi-controller/

 

I'm a developer - although not Linux. Looking through the steps, they all do basically the same thing. The first one uses 'ace.jar' and the rest use openssl, but they all should achieve the same result. It's not like I'm getting errors! I have generated CSRs and installed on Windows quite a few times, but this is my first time Linux/nginx.

 

Anyway, will try your stuff and report back. 

Regular Member
Posts: 332
Registered: ‎06-03-2016
Kudos: 65
Solutions: 18

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

Great stuff, Thank you for sharing.

UEWA, MTCNA, MTCTCE
New Member
Posts: 10
Registered: ‎03-10-2018

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

[ Edited ]

Ok, I got some time to try this again and still no dice. I followed the details from this thread - page 1 - as all the scripts are variations on the theme and I wanted to validate each step. The main difference between guides is that some say to remove the symbolic link:

 

/usr/lib/unifi/keystore -> /etc/ssl/private/unifi.keystore.jks

And replace 'keystore' with the actual file. And others leave that alone and change the 'unifi.keystore.jks'.

 

After following the tutorial - no errors - and restarting nginx and unifi services I have the following files:

 

drwxr-xr-x 2 root root 4096 Mar 18 12:53 backup_2018-03-18/
-rw-r----- 1 root ssl-cert 20480 Mar 18 13:17 cert.tar
-rw-r----- 1 root ssl-cert 5099 Mar 18 13:13 cloudkey.crt
-rw-r----- 1 root ssl-cert 1703 Mar 18 12:55 cloudkey.key
drwxr-xr-x 2 root root 4096 Mar 18 13:19 lets_encrypt/
-rw-r----- 1 root ssl-cert 3830 Mar 18 13:14 unifi.keystore.jks

backup_2018-03-18 = original files

lets_encrypt = a copy of what's here in case they were being overwritten on restart

 

The only thing I did that was differen is that when I cat'd the files I did:

 

cat signed.crt rapidssl.crt root.crt > cloudkey.crt

 

root.crt is "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt" - so my cloudkey.crt contains 3x certificates.

 

When I hit Chrome I get the usual:

 

Capture.PNG

I don't get it. How is it still serving this default certificate?

 

unifi folder is pointing to the correct keystore, and the files within '/etc/ssl/private' have been generated by me (i.e. not overridden on restart). 

 

Thanks,

 

Michael

 

Oh and in Windows it seems my cloudkey.crt is valid:

 

Windows.png

Which in my mind suggests that something to do with restarting the device is ignoring my cert, rather than the cert being invalid.

Emerging Member
Posts: 47
Registered: ‎12-01-2017
Kudos: 7
Solutions: 1

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

You still need to copy cloudkey.crt and rename it to cloudkey.cer.

USG 3P | US-8-60W | UAP-AC-PRO | UCK 1st Gen | Netgear GS110TP | A smattering of unmanaged switches
Unifi SDN 5.9.26 | UAP/USW 3.9.54.9373 | USG 4.4.28.5102846 | DPI: enabled | IDS: disabled | Speedtest: disabled | 1 VLAN | 2 LAN
New Member
Posts: 10
Registered: ‎03-10-2018

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

[ Edited ]

Ok, just did that - copied cloudkey.crt -> cloudkey.cer and updated the tar to include that too. Still not working Man Sad

 

ssl.png

cloudkey.cer == cloudkey.crt

New Member
Posts: 10
Registered: ‎03-10-2018

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

[ Edited ]

I just noticed that my unifi.keystore.jks file was 0 bytes. Regenerated it, deleted and recreated the 'cert.tar' and downloaded to Windows and looked inside using 7zip - still 0 bytes even though the file was 3830 bytes. In Windows I copied the downloaded jks file into the tar file, copied it back and restarted nginx/unifi again. Still not working, but is something mangling the tar file?

 

I ran:

 

keytool -list -v -keystore unifi.keystore.jks

And the 3830 byte file appears valid.

 

---

Final post, unless anyone has other suggestions. My files/permissions now look like this:

 

ssl2.png

 

My tar file looks like this:

 

ssl3.png

 

So they match apart from root:644 vs ssl-cert:640. The JKS file appears valid.

 

I have no idea what to try now.

Emerging Member
Posts: 47
Registered: ‎12-01-2017
Kudos: 7
Solutions: 1

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

[ Edited ]

Are you rebooting instead of just restarting nginx?

 

Are you actually putting the RapidSSL cert with the Let’s Encrypt cert?

 

This is what mine looks like with LE certs.

 

root@unifi:~# ls -la /etc/ssl/private
total 48
drwx--x--- 2 root ssl-cert  4096 Feb 25 21:21 .
drwxr-xr-x 6 root root      4096 Dec  1 15:13 ..
-rw-r----- 1 root ssl-cert 20480 Feb 25 21:27 cert.tar
-rw-r----- 1 root ssl-cert  3509 Feb 25 21:27 cloudkey.cer
-rw-r----- 1 root ssl-cert  3509 Feb 25 21:27 cloudkey.crt
-rw-r----- 1 root ssl-cert  1679 Feb 25 21:27 cloudkey.key
-rw-r----- 1 root ssl-cert  1704 Dec  1 16:37 ssl-cert-snakeoil.key
-rw-r----- 1 root ssl-cert  3871 Feb 25 21:27 unifi.keystore.jks
USG 3P | US-8-60W | UAP-AC-PRO | UCK 1st Gen | Netgear GS110TP | A smattering of unmanaged switches
Unifi SDN 5.9.26 | UAP/USW 3.9.54.9373 | USG 4.4.28.5102846 | DPI: enabled | IDS: disabled | Speedtest: disabled | 1 VLAN | 2 LAN
New Member
Posts: 10
Registered: ‎03-10-2018

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

[ Edited ]

I do this every time:

 

service unifi stop

<Do work>

 

/etc/init.d/nginx restart; /etc/init.d/unifi restart

Pardon my ignorance, but why would I put the RapidSSL cert in too? My certificate is Lets Encrypt - I only added my certificate, the intermediary certificate and the root certifcate for Lets Encrypt cat'd together (my cloudkey.crt/cer contains 3 certs). I do not have the 'ssl-cert-snakeoil.key' apart from in my backup folder.

Emerging Member
Posts: 47
Registered: ‎12-01-2017
Kudos: 7
Solutions: 1

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

You said you did:

cat signed.crt rapidssl.crt root.crt > cloudkey.crt

So I was a bit confused.

 

Try not restarting UniFi and simply restart nginx.

USG 3P | US-8-60W | UAP-AC-PRO | UCK 1st Gen | Netgear GS110TP | A smattering of unmanaged switches
Unifi SDN 5.9.26 | UAP/USW 3.9.54.9373 | USG 4.4.28.5102846 | DPI: enabled | IDS: disabled | Speedtest: disabled | 1 VLAN | 2 LAN
New Member
Posts: 10
Registered: ‎03-10-2018

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

[ Edited ]

Ah, yeah - sorry copying and pasting from the example on page 1. My certs had different names, but as I say in Windows the cloudkey.crt is correct with intermediary and root certs present.

 

This example says nothing about cloudkey.cer BTW - I was hoping that might be the key to what I was missing. Unless anyone has other suggestions I might have to give up on this for now. It's been a massive time sink and I have no idea how to debug the issue.

 

Fundamentally, why is it not picking up my changes properly when I restart nginx? Where is it getting the default cert from?

Highlighted
New Member
Posts: 10
Registered: ‎03-10-2018

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

One last thing. When I hit:

 

http(s)://unifi.mydomain.com

 

It hits the USG, rather than the CloudKey. Is it my responsibility to forward 8443 and others to the CloudKey (192.168.1.2)?

 

When I use 192.168.1.2 I am routed automatically to 8443 on the CloudKey. It only just occured as the login screens are so similar.

Reply