Reply
New Member
Posts: 16
Registered: a month ago

HTTPS certificate expired on UAP

Hello!

 

Any howto switch the SSL-Cert saved on the UAPs when they are expired ?

Thanks!

Established Member
Posts: 1,166
Registered: ‎04-07-2013
Kudos: 535
Solutions: 47

Re: HTTPS certificate expired on UAP

UAPs have SSL certificates? This is new to me. If so, you must be on a really old firmware.
When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!
New Member
Posts: 16
Registered: a month ago

Re: HTTPS certificate expired on UAP

Well i can access a service on port 443 on the APs selfe.

 

Firmware=3.9.54.9373

Established Member
Posts: 1,166
Registered: ‎04-07-2013
Kudos: 535
Solutions: 47

Re: HTTPS certificate expired on UAP


@edvborken wrote:

Well i can access a service on port 443 on the APs selfe.

 

Firmware=3.9.54.9373


I can't. Are you 100% sure you are connecting to the AP and not the controller?

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!
New Member
Posts: 16
Registered: a month ago

Re: HTTPS certificate expired on UAP

Yes, as the ip is the ip of the ap, and there is no redirect ( as far as i can see ).

Screenshot attached.

 

i can see that there is a service running on the ap ( via netstat ) on the port 443.

cert-ap.png
Senior Member
Posts: 19,052
Registered: ‎08-04-2017
Kudos: 3551
Solutions: 925

Re: HTTPS certificate expired on UAP

Hello @edvborken,


Welcome to the community!

 

That is the controller device..

 


Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-Video Installation Scripts | UniFi-VoIP Installation Scripts
USG-XG-8 • USG-4-PRO • USG
USW-XG-16 • USW-48-500W • USW-24-POE-250W 2x • USW-16-POE-150W 3x • USW-24 • USW-8-150W • USW-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD 2x • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M • UAP-AC-M-PRO 2x
UAS-XG • UCK-G2-PLUS • UCK-G2 • UCK
New Member
Posts: 16
Registered: a month ago

Re: HTTPS certificate expired on UAP

ok, even if the ip is one of the aps ?

Senior Member
Posts: 19,052
Registered: ‎08-04-2017
Kudos: 3551
Solutions: 925

Re: HTTPS certificate expired on UAP

Hello @edvborken,

 

The UAPs don’t have a webserver on them..

Certificate warnings on controllers is normal if you didn’t import a valid certificate.

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-Video Installation Scripts | UniFi-VoIP Installation Scripts
USG-XG-8 • USG-4-PRO • USG
USW-XG-16 • USW-48-500W • USW-24-POE-250W 2x • USW-16-POE-150W 3x • USW-24 • USW-8-150W • USW-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD 2x • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M • UAP-AC-M-PRO 2x
UAS-XG • UCK-G2-PLUS • UCK-G2 • UCK
New Member
Posts: 16
Registered: a month ago

Re: HTTPS certificate expired on UAP

ok, but why do i get an other certificate if i access the controller itselfe ?

Senior Member
Posts: 19,052
Registered: ‎08-04-2017
Kudos: 3551
Solutions: 925

Re: HTTPS certificate expired on UAP

Hello @edvborken,

 

What do you mean exactly?

The UniFi Network Controller certificate is not the same as the UCK certificate.

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-Video Installation Scripts | UniFi-VoIP Installation Scripts
USG-XG-8 • USG-4-PRO • USG
USW-XG-16 • USW-48-500W • USW-24-POE-250W 2x • USW-16-POE-150W 3x • USW-24 • USW-8-150W • USW-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD 2x • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M • UAP-AC-M-PRO 2x
UAS-XG • UCK-G2-PLUS • UCK-G2 • UCK
New Member
Posts: 16
Registered: a month ago

Re: HTTPS certificate expired on UAP

When I try to access the ip of a UAP i get a cert warning, as it is expired. I can see this in the certificat infos.

 

If i access the controller this is not the case. So the question would be :

 

1.) What service is running on the UAP, using the certificat.

2.) How can i update this cert ?

Senior Member
Posts: 19,052
Registered: ‎08-04-2017
Kudos: 3551
Solutions: 925

Re: HTTPS certificate expired on UAP

Hello @edvborken,

 

The UAPs don't run a webserver on them...

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-Video Installation Scripts | UniFi-VoIP Installation Scripts
USG-XG-8 • USG-4-PRO • USG
USW-XG-16 • USW-48-500W • USW-24-POE-250W 2x • USW-16-POE-150W 3x • USW-24 • USW-8-150W • USW-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD 2x • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M • UAP-AC-M-PRO 2x
UAS-XG • UCK-G2-PLUS • UCK-G2 • UCK
Veteran Member
Posts: 4,906
Registered: ‎06-13-2015
Kudos: 1327
Solutions: 231

Re: HTTPS certificate expired on UAP

[ Edited ]

@edvborken wrote:

When I try to access the ip of a UAP i get a cert warning, as it is expired. I can see this in the certificat infos.

 

If i access the controller this is not the case. So the question would be :

 

1.) What service is running on the UAP, using the certificat.

2.) How can i update this cert ?


@edvborken When I attempt to replicate this by connecting to:

http://192.168.0.55

where 192.168.0.55 is the IP address of an AP, I am forwarded to the captive portal on the controller (or external captive portal if so configured). This leads me to believe the cert error you are seeing is related to the SSL cert on the UniFi controller, not on the AP.

 

This is because as @AmazedMender16 stated earlier, the APs do not run a web server and have no service on ports 80 or 443.

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
The thread on our UniFi Device Search tool can be found here, also check out our Captive Portal solutions for UniFi.
New Member
Posts: 16
Registered: a month ago

Re: HTTPS certificate expired on UAP

Ok, i get that, but if the https side i can not connect, and the ssl cert is expired is the one of the controller, than why didn`t i get the same expiered cert on both ips.

 

AND:

 

When i nmap the ap and the controller, i see that on the port 443 a service is running:

 

nmap AP
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-27 16:03 CET
Nmap scan report for AP
Host is up (0.015s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
161/tcp open snmp
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds


nmap Contoller
=============================
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-27 16:04 CET
Nmap scan report for Controller
Host is up (0.0033s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
5666/tcp open nrpe
6789/tcp open ibm-db2-admin
8080/tcp open http-proxy
8443/tcp open https-alt

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

 

 

And when a access the ap via ssh netstat also tells me that there is a service running:

 

unifi-vw-1-1-BZ.v4.0.15# netstat -tuan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:161 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 1 0 AP:57344 Controller:8080 CLOSE_WAIT
tcp 0 0 AP:22 my-client:50500 ESTABLISHED

 

So the questions are still the same:

 

a.) What service is running on the AP on the Port 443

And yes, i agree this might be a forward to the controller of some sort, but

b.) Why are the certificats not the same on the ip of the AP and the ip of the controller if the AP only forwards me to the Controller.

Could it be the the AP uses a local SSL-Cert of some sort ( forward or not).

New Member
Posts: 16
Registered: a month ago

Re: HTTPS certificate expired on UAP

[ Edited ]

Ah and another question:

 

What is the local cert which i find in the folder /etc/httpd on the AP used for.

 

Seems to me as if this is the cert, used on the 443 port.

Established Member
Posts: 1,166
Registered: ‎04-07-2013
Kudos: 535
Solutions: 47

Re: HTTPS certificate expired on UAP


@edvborken wrote:

Hello!

 

Any howto switch the SSL-Cert saved on the UAPs when they are expired ?

Thanks!


As stated before, there isn't an SSL-cert on the APs themselves... 

 

I have hundreds of UAPs deployed and not a single one of them is answering to port 80 or port 443.

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!
Regular Member
Posts: 445
Registered: ‎10-14-2015
Kudos: 173
Solutions: 57

Re: HTTPS certificate expired on UAP

@edvborken I just did a quick test on this since i normally dont have "Apply guest policies" on the SSID (I use guest VLAN only)

 

From the look of it normally if you just turn on "Apply guest policies" it enables DNS and HTTP forwarding on the AP. Under Guest Control in the controller, if you also enable "Enable HTTPS Redirection" I am seeing the same thing that you are seeing where it also creates the HTTPS redirector (which "hijacks" any connection to an HTTPS site and forwards you to the portal) and the cert is indeed expired on that redirector on the AP (My testing is on AC-M-Pro).

 

@UBNT-MikeD 

Expired Cert.JPG
Regular Member
Posts: 445
Registered: ‎10-14-2015
Kudos: 173
Solutions: 57

Re: HTTPS certificate expired on UAP

[ Edited ]

*Duplicate post that was pulled by Spam filter*

Regular Member
Posts: 445
Registered: ‎10-14-2015
Kudos: 173
Solutions: 57

Re: HTTPS certificate expired on UAP

Apparently the Spam filter doesnt like short replies with IP and port information.

 

Here is the SSH Output from the above testing:

 

Spoiler
"Apply guest policies" - Off
UAP-AC-Mesh-BZ.v4.0.25# netstat -tuan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 10.1.32.25:22          0.0.0.0:*               LISTEN      
tcp        1      0 10.1.32.25:57248       10.1.32.2:8080          CLOSE_WAIT  
tcp        1      0 10.1.32.25:57246       10.1.32.2:8080          CLOSE_WAIT  
tcp        1      0 10.1.32.25:57230       10.1.32.2:8080          CLOSE_WAIT  
tcp        0    132 10.1.32.25:22          10.1.32.100:58627         ESTABLISHED 
udp        0      0 0.0.0.0:10001           0.0.0.0:*                           
udp        0      0 0.0.0.0:10001           0.0.0.0:*                           
udp        0      0 0.0.0.0:48000           0.0.0.0:*                           
udp        0      0 10.1.32.25:40950       201.217.3.86:123        ESTABLISHED 
udp        0      0 :::36714                :::*                                
udp        0      0 :::38876                :::*                                
UAP-AC-Mesh-BZ.v4.0.25# 


"Apply guest policies" - On 
"Enable HTTPS Redirection" - Off
UAP-AC-Mesh-BZ.v4.0.25# netstat -tuan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      
tcp        0      0 10.1.32.25:22          0.0.0.0:*               LISTEN      
tcp        1      0 10.1.32.25:57134       10.1.32.2:8080          CLOSE_WAIT  
tcp        0    132 10.1.32.25:22          10.1.32.100:58357         ESTABLISHED 
tcp        1      0 10.1.32.25:57176       10.1.32.2:8080          CLOSE_WAIT  
tcp        1      0 10.1.32.25:57132       10.1.32.2:8080          CLOSE_WAIT  
tcp        0      0 :::53                   :::*                    LISTEN      
udp        0      0 0.0.0.0:10001           0.0.0.0:*                           
udp        0      0 0.0.0.0:10001           0.0.0.0:*                           
udp        0      0 0.0.0.0:53              0.0.0.0:*                           
udp        0      0 10.1.32.25:51026       72.5.72.15:123          ESTABLISHED 
udp        0      0 0.0.0.0:48000           0.0.0.0:*                           
udp        0      0 :::53                   :::*                                
udp        0      0 :::47952                :::*                                
udp        0      0 :::45671                :::*                                

"Apply guest policies" - On 
"Enable HTTPS Redirection" - On
UAP-AC-Mesh-BZ.v4.0.25# netstat -tuan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      
tcp        0      0 10.1.32.25:22          0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      
tcp        0      0 10.1.32.25:57192       10.1.32.2:8080          ESTABLISHED 
tcp        0      0 10.1.32.25:57198       10.1.32.2:8080          ESTABLISHED 
tcp        0      0 10.1.32.25:57190       10.1.32.2:8080          TIME_WAIT   
tcp        0      0 10.1.32.25:57188       10.1.32.2:8080          TIME_WAIT   
tcp        1      0 10.1.32.25:57134       10.1.32.2:8080          CLOSE_WAIT  
tcp        0      0 10.1.32.25:22          10.1.32.100:58357         ESTABLISHED 
tcp        0      0 10.1.32.25:57194       10.1.32.2:8080          ESTABLISHED 
tcp        0      0 10.1.32.25:57196       10.1.32.2:8080          ESTABLISHED 
tcp        1      0 10.1.32.25:57132       10.1.32.2:8080          CLOSE_WAIT  
tcp        0      0 :::53                   :::*                    LISTEN      
udp        0      0 0.0.0.0:10001           0.0.0.0:*                           
udp     4672      0 0.0.0.0:10001           0.0.0.0:*                           
udp        0      0 0.0.0.0:53              0.0.0.0:*                           
udp        0      0 10.1.32.25:51026       72.5.72.15:123          ESTABLISHED 
udp        0      0 0.0.0.0:48000           0.0.0.0:*                           
udp        0      0 :::44062                :::*                                
udp        0      0 :::53                   :::*                                
udp        0      0 :::45671                :::*                                
New Member
Posts: 16
Registered: a month ago

Re: HTTPS certificate expired on UAP

ok, so thanks for that.

 

Any idea what would be the best practice to solve this ?

 

As i understand we need the HTTPS redirect.

Reply