Official Lets Encrypt Support for HTTPS


  • K
    Beta Testers

    Rather than self-signed certs, web-exposed controllers should have the ability to grab and automatically maintain a Let's Encrypt cert as a one-click solution.

    Forum thread: http://community.ubnt.com/t5/UniFi-Wireless/Lets-Encrypt-and-UniFi-controller/m-p/1406670#M131139


  • Beta Testers

    Agreed, but LetsEncrypt is still beta so I suppose waiting until final is a good idea.


  • N
    Beta - EdgeRouter

    My 2c on this, the usual way of verifying via Lets Encrypt is via a http request, which would be a terrible idea on a router. There is a newer verification method DNS-01 which allows a DNS TXT record to be used to verify instead, but it is not supported by the default client. https://github.com/lukas2511/letsencrypt.sh is an alternative client with very minimal dependencies (I'm pretty sure all dependencies are already met on an EdgeRouter) which supports DNS-01 challenges. The problem with DNS-01 challenges is it needs to be able to dynamically update ones dns records, which will vary depending on DNS provider, nsupdate might be a good one to support out of the box (there's also an example script for it), but it likely would require the ability to set a custom hook script to implement provider-specific functionality. Lets Encrypt also requires setting of an intermediate CA in lighttpd as well (although this is trivial).


  • P
    Beta Testers

    I'd like to see any sort of certificate management inside of the controller at all.  Keytool is a pain to use and I'm not looking forward to messing with it again next year when I update my wildcard cert across all my servers.


  • T
    Beta Testers

    Im not against this, but imho this is pseudo-security. Publicly trusted certificates are required to make the sites look trustworthy for foreign visitors -which isn't required for private infrastructure. Within a company the correct way of using certificates is to use your own CA. In a Windows environment the DC will provide exactly that service and the root-CA-cert will be distributed to all AD members automatically. Alternatively and on non-windows infrastructure use easy-rsa and import the root certificate on your machines. Importing that root-CA-cert is like a once-in-lifetime action for every device.

    let's encrypt is a nice service, but honestly I wouldn't rely on it. At least not yet. Reason being: they penetrate the certificate market. If they make the slightest mistake -or get hacked- Comodo, Thawte, VeriSign,… will be after them. Their CA will be removed from browsers and system quicker than it got in there and then you may have machines running with revoked certificates, which is worse than private certificates. Of course that can happen to every public CA, but for LE there's more public pressure.

    Just my 2 cents...


  • N
    Beta - EdgeRouter

    Not everyone is running their own PKI, and distributing custom root CA's to a bunch of devices can actually reduce overall security as a CA compromise now lets you compromise the security of any device that the private root CA is installed on. If you're running a half dozen devices, Lets Encrypt is a much better option than running your own private PKI and installing a private trusted root CA cert on all your devices (which quite possibly outnumber the number of devices you are looking at installing certs on even!)


  • P
    Beta Testers

    In addition, private PKI doesn't help you when you don't manage all the devices that access UniFi.  I run a lot of different businesses hotels from a single UniFi cloud server and each business owner has access to their own site(s).  So far I've only had to renew the cert once (I use sslmate since I have a wildcard cert for my domain).  If I could just "set and forget" - either via builtin shell support for replacing the cert from Ubiquiti or builtin Let's Encrypt support via the web UI or something, that would be splendid.

    Barring that, I'll see if I can't whip up a shell script that will work with most default (Debian-based) Linux installs sometime.  I don't mind doing it by hand since it's once per year, but if I can automate it and help out the rest of the community all the better.


  • S
    Custom Avatar

    +1 This.

    I do the exact same thing and have client businesses, schools, motels and tourist parks connecting back to a unifi controller.

    I found a script already made to work with unifi by a dude on reddit.  The link is here:

    https://www.reddit.com/r/Ubiquiti/comments/43v23u/using_letsencrypt_with_the_unifi_controller/

    I also use a vpn product called pritunl, and to my surprise letsencrypt support was baked into the gui…just typed in the hostname of the server and clicked apply - it did the rest!

    This would be seriously great so customers who go to hotspot manager aren't hit up with a security warning unless the painful process of buying and applying certificates is followed!


  • Beta Testers

    My Synology supports this and is perfect example of the right implementation.  Exactly the same on the USG and Cloud Key would be great.


  • K
    Beta Testers

    Make it so!


  • N
    Beta Testers

    +1 Support! Can't Wait. :D


  • I
    Custom Avatar

    +1 too would like to see this in EdgeOS


  • J
    Beta Testers

    I'd also like to see this in EdgeOS and Unifi


  • Beta Testers

    Mega upvote :)


  • T
    Beta Testers

    I would add the additional feature request to make sure to include ACME DNS support. This removes the need to have a web endpoint exposed.

    My utopia would be to have all these devices automagically updating their certs every x months.

    #WhisperOfADream


  • A
    Beta Testers

    I'd be happy with having basic support for properly replacing the SSL certificate used by the web service.

    …and No...replacing the certificate in keystore using a poorly or undocumented process (ie combination of Google fu and forum posts) does not cut it...

    a) Ability to generate a CSR (optional) then replace/upload certificate, private key (if not generating a CSR within Unifi) and ca/intermediate chain via Web UI

    b) Documented api/cli to do the same

    Once you have A, supporting ANY CA is possible for general users and once you have B you can support scripted/automated workflows (including Lets Encrypt).

    Natively supporting LetsEncrypt would be great however but how about basic certificate handling is implemented across the Ubiquiti product line before jumping into this...


  • Beta Testers

    Andrew makes an excellent point.


  • N
    Beta - EdgeRouter

    In the latest release the ability to set certificate and key files is already in the CLI:

    nvx@ER8# set service gui
    Possible completions:
      ca-file       File containing intermediate CA certificate(s)
      cert-file     File containing server certificate and private key in PEM format
    

    No need for undocumented replacing files in the filesystem anymore.

    Would be trivial to write a wizard for it I imagine if it hasn't already been done for CLI-averse folks.


  • A
    Beta Testers

    Thats great new for the EdgeRouter (and something I wasn't aware of), however that still leaves:

    • EdgeSwitch

    • Unifi Controller

    • Unifi Video Controller

    • AirMax

    All of which have varying levels of "lets blindly change files outside the GUI/CLI/API to get things working".

    For the EdgeRouter use case, the CLI option noted is more than sufficient, however Ubiquiti's controller managed solutions (ie the Unifi range) should be much further along than they currently are, in my opinion anyway.


  • N
    Beta - EdgeRouter

    I'll give you that point on EdgeSwitches and airMAX, although UniFi and Unifi Video controllers both are standard java keystores, which yes is a crappy format I admit, but it's literally how every java application works and there's lots of documentation on how to manage Java keystores and tools surrounding it.

    That said Ubiquiti could probably have some better docs surrounding the setup, but I don't really see any value in changing it on those two products.


security64 https11 certificates6 Posts 51Views 224
Log in to reply

Looks like your connection to Ubiquiti Networks Community was lost, please wait while we try to reconnect.