08-15-2018 02:30 PM - edited 08-15-2018 02:43 PM
I have controller running on my computer and i want to setup SSL certificate for local ip of cloud controller and port 8443. how can i setup the SSL local IP Address.
Controller is running on windows 10 pro
Same problem here, running a linux machine.
I've got no idea who's going to sign my cert for a 192.168.1.1/24 address...
Currently I cant run my UAP AC Pro with any controller...
Welcome to the community!
You can't have a SSL cert on an IP address... you would need a DNS record and purchase a cert.
You can ignore the SSL warning if it's only local though.
USG-XG-8 • USG-4-PRO • USG
US-XG-16 • US-48-500W • US-24-POE-250W 2x • US-16-POE-150W 3x • US-24 • US-8-150W • US-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD 2x • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M • UAP-AC-M-PRO 2x
UAS-XG • UCK-G2-PLUS • UCK-G2 • UCK
There are several posts about using letsencrypt to generate certifcate to use and even github posts like https://github.com/stevejenkins/unifi-linux-utils and https://gist.github.com/potto007/4782d817ed12234e81e5df2eda637cbd to do this but I find them overly complicated.
For a quick and easy method to generate your own certicate that is good for 10 years as long as this is just for your home/personal use.
Download the certgen.sh script from https://drive.google.com/open?id=1d1ybF6fXAYUueGHuMvN11jqp6q1-78jK and save it on your pi. Make sure it is executable and then follow these steps:
1. certgen.sh ca
This walks you through creating a self-signed CA/root certificate for you. The output is a cacert.pem and cakey.pem file.
2. certgen.sh server cakey.pem cacert.pem
This creates a server-side certificate signed by the above created CA. The output of this is server_cert.pem and server_key.pem.
3. openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem -certfile cacert.pem -name unifi -out pi.p12
Reads the server certificate created above and convers them into a pkcs12 file format of the name pi.p12
4. keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore keystore -srckeystore pi.p12 -srcstoretype PKCS12 -srcstorepass welcome1
This takes the pi.p12 file from above and stores it in a java keystore file named keystore
5 - Now that we have a custom keystore we need to tell the controller to use it. Change to the /var/lib/unifi directory and (as root) rename keystore to keystore.orig. Copy the output keystore file from (4) above into this /var/lib/unifi directory and restart the controller.
A couple of notes on the above:
1 - When running certgen.sh it prompts for several things. It has default values but you probably want to change at least the value of the common name to be the name of your server where the controller is running. This keeps browsers happy when the server you are connecting to has a certificate that matches that name.
2 - Since the certificate is self-signed you'll need to import the cacert.pem file into your browser as a trusted root certificate authority and perhaps mark it as trusted.
From there you should be able to connect to https://hostname:8443 just fine.