Reply
New Member
Posts: 13
Registered: ‎08-04-2017
Kudos: 2
Accepted Solution

Lets Encrypt on Hosted Controller

[ Edited ]

Can't quite get my SSL , I am very close but It just doesn't seem to work.

 

I have a digital ocean droplet with controller version 5.8.28 andUbuntu 16.04.4 x64. The controller is installed and working, I have not migrated any access points, it's empty right now until I get ssl working.

 

I followed the tutorial here.

https://www.hinesnetwork.com/how-to-setup-a-unifi-controller-with-a-real-certificate/

 

I also followed the tutorial here.

https://lg.io/2015/12/13/using-lets-encrypt-to-secure-cloud-hosted-services-like-ubiquitis-mfi-unifi...

 

When I use the comand below:

letsencrypt certonly -a webroot --webroot-path=/var/www/html -d unfi.domain.com

 

I get the responce:

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

 

I get the following after runing nginx -t:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

 

So I know the certicficate is there but I can't seem to get it to add security to https://unfi.domain.com:8443, I have lauched the controller on a different PC etc. I didn't recieve any errors through ssh so I don't have much else to go on.

 

The certificate issuer name is ubnt.com so the certificate ist not active.

 

Any help would be appreciated!

 

Thanks

 

 


Accepted Solutions
Highlighted
Regular Member
Posts: 421
Registered: ‎10-21-2014
Kudos: 117
Solutions: 16

Re: Lets Encrypt on Hosted Controller

[ Edited ]

There has been some changes in the UniFi certificate handling from 5.9.x that causes many of the UniFi import certificate scripts out there to fail.

 

You may try my updated script available at https://util.wifi.gl/unifi-import-cert.sh

 

Read the comments in the script file for full UniFi + LetsEncrypt install instructions.

 

Remember to replace the domain name in the script to your own.

 

Frank

 

View solution in original post


All Replies
New Member
Posts: 5
Registered: ‎06-14-2018

Re: Lets Encrypt on Hosted Controller

This is a letencrypt error. It won't issue a new certificate since you already have a certificate on that domain name (probably on the old server?). If you want the same name you have to stop the letencrypt autorenewal on the old server and move the certificate from there to the new server... or wait until it's getting close to expiry so you can't get a new one on the new server.

 

New Member
Posts: 13
Registered: ‎08-04-2017
Kudos: 2

Re: Lets Encrypt on Hosted Controller

I chose to to create a new cert and cancelled, so there is a certificate available for my subdomain, I just can't get the controller to work with it.

Highlighted
Regular Member
Posts: 421
Registered: ‎10-21-2014
Kudos: 117
Solutions: 16

Re: Lets Encrypt on Hosted Controller

[ Edited ]

There has been some changes in the UniFi certificate handling from 5.9.x that causes many of the UniFi import certificate scripts out there to fail.

 

You may try my updated script available at https://util.wifi.gl/unifi-import-cert.sh

 

Read the comments in the script file for full UniFi + LetsEncrypt install instructions.

 

Remember to replace the domain name in the script to your own.

 

Frank

 

Regular Member
Posts: 421
Registered: ‎10-21-2014
Kudos: 117
Solutions: 16

Re: Lets Encrypt on Hosted Controller

[ Edited ]

You can reuse the domain name to get a new Certificate as soon as you have pointed your DNS to the IP adress of the new server.

There's is no requirement to wait.

New Member
Posts: 5
Registered: ‎06-14-2018

Re: Lets Encrypt on Hosted Controller

I see. So you have the certificate locally on the machine and you aim to use nginx as a https proxy for the java http service of the Unify Controller?

 

New Member
Posts: 13
Registered: ‎08-04-2017
Kudos: 2

Re: Lets Encrypt on Hosted Controller

[ Edited ]

Thank you so much, you script worked for me! I appreciate it!

Regular Member
Posts: 421
Registered: ‎10-21-2014
Kudos: 117
Solutions: 16

Re: Lets Encrypt on Hosted Controller

[ Edited ]

@stricklandnvr glad to hear it helped you 😊 you may mark my post as "solution" to make it easier forothers to find.

Member
Posts: 175
Registered: ‎12-06-2015
Kudos: 76
Solutions: 5

Re: Lets Encrypt on Hosted Controller

[ Edited ]

@Frankedinven

 

Thank you for this script! Amazing..

Do you know if this script will work with 5.8.x?

 

Also, Im not 100% clear - do I need to add the certbot renewal as a cron job or not necessary?

Regular Member
Posts: 421
Registered: ‎10-21-2014
Kudos: 117
Solutions: 16

Re: Lets Encrypt on Hosted Controller

[ Edited ]

@macmagic

 

The script is tested with UniFi 5.8.28 and 5.9.22. most likely it will work with any recent version of Unifi.

 

When you run the "./certbot-auto renew" script it will run all scripts in the "/etc/letsencrypt/renewal-hooks/post/" folder when the certificate has been successfully renewed.

 

By copying the "unifi-import-cert.sh" script to "/etc/letsencrypt/renewal-hooks/post/unifi-import-cert.sh" it will run after (post) to successfull certificate renewal.

 

LetsEncrypt will send you expiry warnings by email and you can run "./certbot-auto renew" manually.

If running as a monthly crontab it will automatically renew and import the certificate before expiry.

 

If the renewal warnings bothers you you can run the "./certbot-auto renew" more frequent (like every day and you will be ahead of the warnings)

Established Member
Posts: 2,549
Registered: ‎06-04-2008
Kudos: 590
Solutions: 6

Re: Lets Encrypt on Hosted Controller


@Frankedinven wrote:

 

You may try my updated script available at https://util.wifi.gl/unifi-import-cert.sh

 

 



It's running in circles.

 

root@UniFi-Clients1:~# /etc/letsencrypt/renewal-hooks/post/unifi-import-cert.sh
--2018-09-26 18:06:53--  https://dl.eff.org/certbot-auto
Resolving dl.eff.org (dl.eff.org)... 151.101.184.201, 2a04:4e42:2c::201
Connecting to dl.eff.org (dl.eff.org)|151.101.184.201|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 62299 (61K) [application/octet-stream]
Saving to: âcertbot-auto.8â

certbot-auto.8                                      100%[==================================================================================================================>]  60.84K  --.-KB/s    in 0.006s

2018-09-26 18:06:53 (10.3 MB/s) - âcertbot-auto.8â saved [62299/62299]

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): clients1.unifi.dnacom.com
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/clients1.unifi.dnacom.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for clients1.unifi.dnacom.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/clients1.unifi.dnacom.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/clients1.unifi.dnacom.com/privkey.pem
   Your cert will expire on 2018-12-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

--2018-09-26 18:07:23--  https://util.wifi.gl/unifi-import-cert.sh
Resolving util.wifi.gl (util.wifi.gl)... 149.56.47.190
Connecting to util.wifi.gl (util.wifi.gl)|149.56.47.190|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2556 (2.5K) [text/x-sh]
Saving to: âunifi-import-cert.sh.7â

unifi-import-cert.sh.7                              100%[==================================================================================================================>]   2.50K  --.-KB/s    in 0s

2018-09-26 18:07:23 (105 MB/s) - âunifi-import-cert.sh.7â saved [2556/2556]

--2018-09-26 18:07:23--  https://dl.eff.org/certbot-auto
Resolving dl.eff.org (dl.eff.org)... 151.101.184.201, 2a04:4e42:2c::201
Connecting to dl.eff.org (dl.eff.org)|151.101.184.201|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 62299 (61K) [application/octet-stream]
Saving to: âcertbot-auto.9â

certbot-auto.9                                      100%[==================================================================================================================>]  60.84K  --.-KB/s    in 0.006s

2018-09-26 18:07:23 (10.6 MB/s) - âcertbot-auto.9â saved [62299/62299]

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

 

Regular Member
Posts: 421
Registered: ‎10-21-2014
Kudos: 117
Solutions: 16

Re: Lets Encrypt on Hosted Controller

@mhammett

 

The Script does neither download the certbot-auto nor the unifi-import-cert.sh script.

Thus it is not the cause of the scripting loop.

 

It seems you have uncommented the "Instruction section" in the script file.

 

The "instructions" section #1...5 is for manual execution on first installation and is included as comments.

 

The "script" section will be executed upon Cert renewal (only if actually renewed) when included in the /etc/letsencrypt/renewal-hooks/ folder.

 

I hope this clarifies :-)

 

Established Member
Posts: 2,549
Registered: ‎06-04-2008
Kudos: 590
Solutions: 6

Re: Lets Encrypt on Hosted Controller


@Frankedinven wrote:

@mhammett

 

 

 

It seems you have uncommented the "Instruction section" in the script file.

 

 


That is exactly what I did. Might want to add some comments indicating how I'm supposed to handle that. Usually, when I see things in a file, they're optionally uncommentable.

New Member
Posts: 34
Registered: ‎04-29-2014
Kudos: 8

Re: Lets Encrypt on Hosted Controller

[ Edited ]

In regards to 5.9.29, I found that the script I was using no longer worked. Although this guide appears to use basically the same script, following this did seem to fix my issue. The only thing I really changed was putting my p12 chain into the letsecrypt directory, using "fullchain.p12" in the name instead of "cert.p12" and using unifi for the name, alias, and password instead of ubnt and temppass. Core functions of the script didn't seem to differ. I'm not sure how much these changes really mattered, but it worked after them, and that's all I care about.

 

Here's my script in case anyone else is curious.

#!/bin/bash

# Get the certificate from LetsEncrypt
/home/ubuntu/scripts/certbot-auto renew --webroot --webroot-path /var/www/html/ --quiet --no-self-upgrade

# Convert cert to PKCS #12 format
sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/mydomain.com/privkey.pem -in /etc/letsencrypt/live/mydomain.com/fullchain.pem -out /etc/letsencrypt/live/mydomain.com/fullchain.p12 -name unifi -password pass:unifi

# Load it into the java keystore that UBNT understands
sudo keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore /etc/letsencrypt/live/mydomain.com/fullchain.p12 -srcstoretype PKCS12 -srcstorepass unifi -alias unifi -noprompt

#Restart unifi
service unifi restart

 

EDIT: "-srcstoretype PKCS12" may have been the part to do the trick. I might have added this along the way of my troubleshooting and didn't properly test the before/after effects.

New Member
Posts: 22
Registered: ‎08-24-2018
Kudos: 1
Solutions: 1

Re: Lets Encrypt on Hosted Controller

@taytrho thank you! Man Happy Your script did the trick, only change I see, compared to mine, is the alias. But apparently I was using a wrong one. Man Happy

New Member
Posts: 10
Registered: ‎04-02-2016
Solutions: 1

Re: Lets Encrypt on Hosted Controller

[ Edited ]

The trick is not in the alias, I still use "ubnt" and it works... you choose this yourself in step 1.

You have to make a new keystore file every time you use the keytool - that is the real trick....

 

Steps:

 

openssl pkcs12 -export -inkey /etc/letsencrypt/live/yoursite/privkey.pem -in /etc/letsencrypt/live/yoursite/fullchain.pem -out yourp12file.p12 -name ubnt -password pass:yourpassword

mv /var/lib/unifi/keystore /var/lib/unifi/keystore.backup keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore yourp12file.p12 -srcstoretype PKCS12 -srcstorepass yourpassword -alias ubnt -noprompt

systemctl restart unifi

 

Member
Posts: 299
Registered: ‎01-28-2016
Kudos: 64
Solutions: 10

Re: Lets Encrypt on Hosted Controller

@woftor You don't have to make a new keystore, you just want to delete the existing key in the store. See here:

 

https://github.com/stevejenkins/unifi-linux-utils/blob/master/unifi_ssl_import.sh#L156-L158

 

@Frankedinven Kudos for using the renewal hook! I'm working on incorporating certbot using the post hook in my own script and I wonder why more people don't think of it. Would you like to contribute?

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Member
Posts: 191
Registered: ‎10-07-2017
Kudos: 46
Solutions: 1

Re: Lets Encrypt on Hosted Controller

[ Edited ]

@SprockTech wrote:

@woftor You don't have to make a new keystore, you just want to delete the existing key in the store. See here:

 

https://github.com/stevejenkins/unifi-linux-utils/blob/master/unifi_ssl_import.sh#L156-L158

 

@Frankedinven Kudos for using the renewal hook! I'm working on incorporating certbot using the post hook in my own script and I wonder why more people don't think of it. Would you like to contribute?

 

--

Klint


its not exactly new to some of us....

 

Ive been using stevejenkins script in the post hook directory for like 11 months plus, with an added line near end of his script after

 

service ${UNIFI_SERVICE} start

to restart nginx (which im also running)

 

i.e.

 

service nginx restart

 

, tidy setup all in on spot.....

 

Member
Posts: 299
Registered: ‎01-28-2016
Kudos: 64
Solutions: 10

Re: Lets Encrypt on Hosted Controller

@adrianmmiller Cool! I just mean most people seem to run Steve's script separately from certbot instead of using the hook. Man Wink

 

I'm curious to know more about your nginx setup. Can you share a link to a thread discussing it or send me a PM?

 

Thanks!

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Member
Posts: 191
Registered: ‎10-07-2017
Kudos: 46
Solutions: 1

Re: Lets Encrypt on Hosted Controller

[ Edited ]

@SprockTech wrote:

@adrianmmiller Cool! I just mean most people seem to run Steve's script separately from certbot instead of using the hook. Man Wink

 

I'm curious to know more about your nginx setup. Can you share a link to a thread discussing it or send me a PM?

 

Thanks!

 

--

Klint



I knew what you meant. to be fair i only figured it out because i noticed the hook directories and read the manual Man Happy

As for nginx, for reverse proxying, there are a few threads on here, here for example

https://community.ubnt.com/t5/UniFi-Wireless/Unifi-Controller-behind-nginx-proxy-Server-log-LocalHos...

My personal /etc/nginx/sites-enabled/default file is:

#/etc/nginx/sites-enabled/default

server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";

server {
listen 80;
server_name _;
return 301 https://wifi.domain.com.au$request_uri;
error_log /var/log/unifi/nginx.log;

location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/html/letsencrypt;
}
}

server {
listen 443 ssl default_server http2;
server_name wifi.domain.com.au;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/letsencrypt/live/wifi.domain.com.au/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wifi.domain.com.au/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 300;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_ciphers  ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options DENY;
error_log /var/log/unifi/nginx.log;
client_max_body_size 8M;
proxy_cache off;
proxy_store off;

location / {
include /etc/nginx/proxy_params;
proxy_pass https://127.0.0.1:8443$request_uri;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

It takes any sniff of wifi.domain.com.au (not our real FQDN) typed into the browser and bumps it to ssl and to the unifi controller port

the location block

location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/html/letsencrypt;
}
}

is just there as i used the webroot method for letsencrypt

I also have a lighttpd server running on port 81 (i tried using nginx for all but trying to get php running properly was a menace, so many hours wasted, lighttpd took seconds ) for some seperate php stuff (mostly for maintaining whitelists/blacklists) for an interface to a centralised mutli site adblocking script im working on - dns blacklist compiled on server and the various sites USG's check in every x hours and download and apply compiled blacklist and maintained whitelists from server - minimal script processing on USG, and so have added the following location block to the above config, just before the closing bracket, so typing any URL wifi.domain.com.au/admin will take me to the SSL bumped pages under the admin folder in my webroot where im currently testing from


location /admin {
include /etc/nginx/proxy_params;
proxy_pass http://127.0.0.1:81$request_uri;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}



Reply