Reply
Emerging Member
Posts: 48
Registered: ‎12-01-2017
Kudos: 7
Solutions: 1

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

[ Edited ]

Yep.

 

it is easier to just modify the internal DNS to point to the cloudkey.

 

I’ve got a gist for that too: https://gist.github.com/troyfontaine/a0a0098d6a8c333e5316ebf16db1c425

USG 3P | US-8-60W | UAP-AC-PRO | UCK 1st Gen | Netgear GS110TP | A smattering of unmanaged switches
Unifi SDN 5.9.26 | UAP/USW 3.9.54.9373 | USG 4.4.28.5102846 | DPI: enabled | IDS: disabled | Speedtest: disabled | 1 VLAN | 2 LAN
New Member
Posts: 10
Registered: ‎03-10-2018

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

Penny drops.

 

Oh my - so I was fundamentally misunderstanding this. I had my DNS provider (DNSMadeEasy) pointing to the USG (WAN IP).

 

I probably had the cert correct the first time I did it. I have been trying to hit the USG all this time! I now have a green cert that is valid.

 

I'm a little confused though - so this only allows you to access it via hostname IF you are on the same LAN. If I take my phone off Wi-Fi then obviously unifi.mydomain.com -> 192.168.1.2 no longer works. I was thinking that the point of setting this up was that unifi.mydomain.com would resolve anywhere.

 

I'm guessing that just use https://unifi.ubnt.com when external to the network?

 

What are the benefits of updating the internal DNS, vs DNS at DNSMadeEasy?

Emerging Member
Posts: 48
Registered: ‎12-01-2017
Kudos: 7
Solutions: 1

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

You don’t want your cloudkey accessible externally without a VPN-that is where you should be using the free unifi.ubnt.com cloud access.  It’s about reducing attack surface to external attackers.

 

I’m using for my external dns <sitename>.mydomain.com and use that for my VPN.

 

That is why I modify my internal DNS as I show in the Gist and use the DNS authentication with Let’s Encrypt via Cloudflare.

 

If it is for a professional site, a regular SSL cert is preferred as Cloudflare doesn’t yet offer reduced privilege API keys.

USG 3P | US-8-60W | UAP-AC-PRO | UCK 1st Gen | Netgear GS110TP | A smattering of unmanaged switches
Unifi SDN 5.9.26 | UAP/USW 3.9.54.9373 | USG 4.4.28.5102846 | DPI: enabled | IDS: disabled | Speedtest: disabled | 1 VLAN | 2 LAN
Regular Member
Posts: 328
Registered: ‎05-24-2017
Kudos: 108
Solutions: 9

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

I've gone with the approach where I setup in one of my domains registered in DNS a hostname for the cloudkey that is the name in the cert so when I hit the cloud key I get the green lock all set.  Works when I'm VPN'd in which is the only time I access the cloudkey other than via the cloud access via unifi.ubnt.com.  I also use dynamic DNS for sites that aren't public static IP so I can access the site anytime via VPN by hostname.  An example will make this  clear:

 

Say my management network is 172.16.200.0/24

 

I use these DNS names:

 

sitename-auth.bvwireless.net  -> 172.16.200.5  (internal IP of my cloud key).

sitename.bvwireless.net -> Dynamic public IP   (set by using dynamic DNS service in the controller).

 

When I want to VPN to the site I can VPN to sitename.bvwireless.net and that will be the public IP (if it's static I just set sitename.bvwireless.net to the public static IP and that is my VPN target).

 

When I want to access the cloudkey and get the green lock I get a certificate for sitename-auth.bvwireless.net and install it on the cloudkey.  Then when I access the cloudkey I hit http://sitename-auth.bvwireless.net and the cloudkey redirects automatically to https://sitename-auth.bvwireless.net and then I can choose either the controller or manage cloud key.  If I choose the controller it goes to https://sitename-auth.bvwireless.net:8443 and I have the green lock all set.

 

For the captive portal I choose to use "Use secure portal" checkbox and "Redirect to hostname" set to:  https://sitename-auth.bvwireless.net and when a device needs to access the signup page it gets the internal IP of the cloudkey for sitename-auth.bvwireless.net and goes there by name and cert matches the name so the green lock is on and all happy.  The only caveat with this approach is that the internet needs to be up and responding to public DNS queries for the captive portal to work.  Without internet the customers can't do much anyway -- so I don't mind that an extrernal DNS name pointing to the internal cloud key IP is in use here.  The captive portal automatically tacks on the :8443 along with the rest of the url needed to access the signup page where they can use a voucher or pay by credit card -- and android / apply / web browsers all trust it seamlessly.

 

Good luck -- looks like you guys are getting this sorted out.

 

 

New Member
Posts: 39
Registered: ‎03-06-2018
Kudos: 20

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

Thanks for this write up.  I was able to successfully deploy SSL to my CK, but not after changing aircontrolenterprise to something else and then realizing I had made a mistake.  If you could emphasize that this password shouldn't be changed, idiots like me would be grateful =D

Regular Member
Posts: 328
Registered: ‎05-24-2017
Kudos: 108
Solutions: 9

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

I meant to reply to this a few weeks back to let everyone know:

 

Upgrading a 5.4.x, 5.5.x, or 5.6.x controller to the latest stable 5.7.x version preserves the SSL cert no problem.

Running this procedure on a 5.7.x brand new controller works properly.

 

This procedure came in really handy for me again as I was victim of google removing trust (in phases) from chrome for certs signed by GeoTrust issued in various date ranges for which 3 of my certs needed to be re-issued.  GeoTrust is now managed by DigiCert and the re-issue wasn't too bad -- login to rapidssl and re-issue the cert.  I thought I needed the original CSR but found that for one of them where I didn't save the CSR I was able to generate a new one and they still re-issued to the original expiration date I already paid for (3 years).  Either way it's a good idea to save your original CSR (and private key, cert, and intermediate cert) somewhere safe in case you need to re-install it.  Hopefully someday when UBNT makes a GUI to add a signed cert to a controller / cloud key the cert contents will be included in auto or manual backups.  Then if a cloud key dies, bring up a new one, restore, and voila.

 

I'm all up to date on deployed sites that use the portal for folks to sign up for access with credit cards using the stripe backend.

Hoping to create some more sites with the secure portal -- great passive income ability.

 

New Member
Posts: 40
Registered: ‎04-25-2017
Kudos: 16

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

Hello Everyone.

 

I was able to generate and install the certificate. When i go to my domain wifi.company.com it shows cert all good. I have wifi.company.com pointing to the IP of the cloud key. (192.168.1.9)

 

This gives me the unificontroller manage buttton and the unifi cloud key manage buttons. When i click on the cloudkey it take me to the /login url and still secure all good. 

 

When i click on unifi it take me to port 8443 and i loose my secure coneection. 

 

I also do not have a secure connection on my guest portal. 

 

What have i done wrong. 

 

Thanks,

 

Birnie

 

 

New Member
Posts: 40
Registered: ‎04-25-2017
Kudos: 16

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

I did notice that rapidssl  now has two intermediate certs (https://knowledge.digicert.com/generalinformation/INFO1548.html)

 

Do i need to merge both into the rapidssl.crt? 

 

Birnie

 

New Member
Posts: 40
Registered: ‎04-25-2017
Kudos: 16

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

Has anyone got this to work on 5.7.28?

 

Birnie

Regular Member
Posts: 328
Registered: ‎05-24-2017
Kudos: 108
Solutions: 9

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

Based on the log of changes from 5.7.23 to 5.7.28 I don't see anything that would make me think that this would not work on 5.7.28

 

I did a new site recently starting with a factory defaulted 5.7.23 and configured everything and installed a RapidSSL cert with no issues.  The cert had just the cert itself and the one intermediate certificate and followed the procedure to get it working on the cloud key.

 

Not sure if I'll have time, but I have an extra cloud key I do bench testing with I can put 5.7.28 on it, factory reset, and install a cert.

 

I now know how to do static internal DNS entries (I posted a howto on this forum) so I can now easily make DNS on the cloudkey provide the IP of the cloud key (internal IP) when requesting a fully qualified internal DNS name (and unqualified, but you need fully qualified so it matches cert).  Most sites I use a domain I own anyway and setup the external DNS to point to the internal cloud key IP such as sitename.mydomain.com -> 172.16.0.5  It is nice when that name can resolve internally as if the internet is down, the security stuff still works.

 

New Member
Posts: 40
Registered: ‎04-25-2017
Kudos: 16

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

[ Edited ]

@firefi

 

Yes this is what i have setup, wifi.mydomain.com -> 192.168.1.9

 

@UBNT-MikeD

 

Mike, is there any plans to update the cloud key to easily ingest certs? 

 

Do you know if anything has changed in 5.7.28 that would break this process?

 

Any help you can to get me going would be great. I had it working before i did the upgrade with a positivessl cert, but after the restore its all gone.... lol 

 

Birnie

Regular Member
Posts: 328
Registered: ‎05-24-2017
Kudos: 108
Solutions: 9

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

Tonight I tested two things:

 

1. Upgraded my home cloudkey from 5.7.23 to 5.7.28 and the SSL cert installed on there still works fine as expected after the upgrade.  Works for guest portal secure auth also.

 

2. Bought a new certificate from RapidSSL (the one I have on there is expiring very soon anyway) and it's got a different CN (common name) than the one that is about to expire.  I setup my internal DNS for that name to point to the cloud key.

 

Followed my procedure to install the certificate -- and it works fine.  

 

So I've confirmed this procedure works fine on 5.7.28 controller.

 

I even rebooted the cloud key to make sure it doesn't get messed with.

It's all working as expected and the portal secure signup page works fine too.

 

@birnie I'm not sure where you are going wrong.  The commands in the howto should be to the letter -- some people think they need to use a passcode for the cert and don't use aircontrolenterprise as the keystore password -- this should be exactly as it is in the procedure.  Do not substitute some other password for aircontrolenterprise.

 

Hope you get it sorted out.  Haven't tried the 5.8 controller yet, but through the latest 5.7.x it works.

 

 

New Member
Posts: 40
Registered: ‎04-25-2017
Kudos: 16

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

@firefi

 

Thanks for making sure it still works. I'll give it another shot. The only thing you seem to have different is the internal DNS. 

 

I'll have to find your post on setting up the DNS entry and give it a shot, maybe that will fix it. 

 

Thanks for the awsome help Man Happy 

 

I'll keep you posted. 

 

Birnie 

 

 

Regular Member
Posts: 328
Registered: ‎05-24-2017
Kudos: 108
Solutions: 9

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal


@birnie wrote:

@firefi

 

Thanks for making sure it still works. I'll give it another shot. The only thing you seem to have different is the internal DNS. 

 

I'll have to find your post on setting up the DNS entry and give it a shot, maybe that will fix it. 

 

Thanks for the awsome help Man Happy 

 

I'll keep you posted. 

 

Birnie 

 

 


It works for me with either extrenal DNS or internal DNS -- the web server on the cloud key doesn't even notice where the DNS query came from -- all it cares about is the name in the URL used to access the cloud key -- that must match the CN (common name) in the certificate.

So if you want to address your cloudkey as https://cloudkey.mydomain.com and your browser discovered the IP for cloudkey.mydomain.com via a response internally from DNS or a response by DNS getting the answer from extrernal DNS it doesn't matter (assumes either DNS mapping points to the internal IP of the cloud key).

On your setup, the nginx server which handles https://cloudkey.mydomain.com was happy w/ the certificate (comes from the cloukey.crt and cloudkey.key files).  And clearly your DNS resolution for cloudkey.mydomain.com resulted in the IP of your cloud key.

The java tomcat server that handles https://cloudkey.mydomain.com:8443 which is the unifi controller and uses the java key store (the .jks file) was having the problem.  Your dump of the .jks file with keytool looked fine to me -- I have no idea what the problem is.  I've done this several times on several versions with no issues.  You must have some difference.

Are you really sure the name you are using to access the cloudkey 100% matches the common name in your cert?  It would seem so since the nginx web server is happy on your initial connection to the https port 443 (which is handled by nginx -- nginx is on 443 and java tomcat is on 8443).

 

Oh -- and the guest portal page (use secure portal) worked fine for me on 5.7.28 also.  It's just another part of the web tree under the java tomcat server.  You can see your signup page by visiting https://cluodkey.mydomain.com:8443/guest/s/default/

 

Good luck!

 

New Member
Posts: 40
Registered: ‎04-25-2017
Kudos: 16

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

Im going back to the site today, and will be spending all weekend on this (hopefully it does not take that long). 

 

Ill let you know.

 

Birnie

New Member
Posts: 40
Registered: ‎04-25-2017
Kudos: 16

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

@firefi

 

I reset the cloudkey to default, restored a backup and followed the steps.

 

It works. 

 

Thanks again for the great guide.

 

Birnie

New Member
Posts: 17
Registered: ‎12-10-2017

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

I can confirm this is working on Unifi 5.8.24. Thanks for the detailed instructions!

Regular Member
Posts: 328
Registered: ‎05-24-2017
Kudos: 108
Solutions: 9

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

Thanks for letting us know! Excellent.


@jared_f wrote:

I can confirm this is working on Unifi 5.8.24. Thanks for the detailed instructions!


 

New Member
Posts: 17
Registered: ‎12-10-2017

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

In addition, one thing I did run into: make sure you clear out the certficates you trusted previously or it will continue to show "not secure" in your address bar. This was on my Mac and I did not do further testing on Windows or Linux.

New Member
Posts: 32
Registered: ‎07-15-2018
Kudos: 1

Re: HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal

I got this working for the "Configure" portal - everything works nicely and the cert is valid etc.

 

However, now my Unify portal seems to be missing.

 

Any attempt to connect to the "Manage portal" now gives me a ERR_CONNECTION_REFUSED.

 

It's like the cloudkey is no longer listening on port 8443.

 

Reply