-
-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unifi deploy hook doesn't fully support Unifi Cloud Key #3326
Comments
When running on a Unifi Cloud Key device, also deploy to /etc/ssl/private/cloudkey.{crt,key} and reload nginx. This makes the new cert available for the Cloud Key management app running via nginx on port 443 (as well as the port 8443 Unifi Controller app the deploy hook already supported). Fixes acmesh-official#3326
I have used this renew script to deploy to the unifi cloudkey on firmware v1.1.13 and Unifi 6.0.41 got it from this site: https://www.naschenweng.info/2017/01/06/securing-ubiquiti-unifi-cloud-key-encrypt-automatic-dns-01-challenge/ perhaps it can help? `#!/bin/bash openssl pkcs12 -export -in /etc/ssl/private/cloudkey.crt -inkey /etc/ssl/private/cloudkey.key -out /etc/ssl/private/cloudkey.p12 -name unifi -password pass:aircontrolenterprise keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -srckeystore /etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi rm -f /etc/ssl/private/cloudkey.p12 echo "** Testing Nginx and restarting" |
@petrus9 thanks, yes, I'd been working from Gerd Naschenweng's really helpful post, as well as James Ridgway's update from earlier this year. The existing unifi.sh deploy hook already includes most of that renew script, but is missing the bit at the end about /etc/ssl/private and restarting nginx. I just submitted PR #3327 to add those parts. (BTW, it's not necessary to remove the snakeoil self-signed key, and the purpose and correct construction of cert.tar is sort-of documented in a Ubiqiti forum post, so I followed their guidance. But maybe not a bad idea to add the nginx config check.) |
Note that with the new UnifiOS (Cloud key firmware version 2.0.0 or greater), there's no need for the java keystore to be maintained - all HTTPS traffic is via port 443 to the new SSO interface on the cloud key. The unifi deployment hook can potentially deal with this automagically, by looking for the existence of key and cert files to replace at I don't use this deploy hook, I have a custom deployment script using ssh keys and restricted commands, so I'm only commenting to provide information around a change that will soon be required. |
Yes, I personally don't believe the Gen1 will get v2.0, and yes, I agree - I wasn't terribly clear, supporting both was what I meant by "deal with this automagically". |
@mjbnz thanks for the tip. So do you think it would be reasonable for the unifi deploy hook to just check all three possible cert locations, and deploy to all that exist? Pseudocode: # Deploy to java keystore on self-hosted Unifi Controller or CloudKey Gen1:
if exists /usr/lib/unifi/data/keystore:
generate pkcs12 and import into java keystore
service unifi restart
# Deploy to nginx on CloudKey Gen1
if exists /etc/ssl/private/cloudkey.key:
deploy cert to /etc/ssl/private/cloudkey.{key,crt}
service nginx restart
# Deploy to unifi-core on UnifiOS (CloudKey Gen2, Dream Machine, ...)
if exists /data/unifi-core/config/unifi-core.key:
deploy cert to /data/unifi-core/config/unifi-core.{key,crt}
systemctl restart unifi-core
if nothing deployed by this point:
issue configuration error (With appropriate config vars to support non-standard installation locations, as in the current unifi deploy hook.) |
Yes, I think that looks perfect. Nice one. |
Updated PR #3327 to support both generations of Cloud Key (as well as the self-hosted Unifi Controller it previously supported). I only have a Gen1 Cloud Key to test on; if someone running UnifiOS wanted to take a quick glance at the script that would be much appreciated. |
When running on a Unifi Cloud Key device, also deploy to /etc/ssl/private/cloudkey.{crt,key} and reload nginx. This makes the new cert available for the Cloud Key management app running via nginx on port 443 (as well as the port 8443 Unifi Controller app the deploy hook already supported). Fixes acmesh-official#3326
@medmunds has this been added to the latest acme.sh, I can run a test on a CK gen2 with firmware 2. |
@medmunds I tried with the current version of acme.sh v2.8.9 on Cloudkey Gen2 Plus firmware 2.0.27 Controller 6.0.45 but it did not work. This worked:
|
@petrus9 PR #3327 has not been merged yet, so this is not in acme.sh v2.8.9. If you would like to test before that PR is merged, please install the latest acme.sh as usual, then (before running it) copy deploy/unifi.sh from the PR into your local acme.sh installation (overwriting the existing deploy/unifi.sh). Then try deploying with the unifi deploy-hook per the docs. |
@medmunds Thanks! Will give a it try. Do you know if this also puts a cert in place for Unifi Protect. On the Cloudkey Gen2 Plus it includes port 7443 as the interface to Unifi protect and it can also host Unifi Access and Unifi Talk, not sure if these require a different cert store? |
Port 7443 is no longer used on v2.x for general user access, it's all via 443 and the unifi-core frontend/reverse proxy. Cert locations this deploy hook maintains are:
|
Per @mjbnz's answer above, I believe the answer is yes. However, it does not currently restart the Unifi Protect service, so that may not pick up the new cert immediately. @mjbnz, should I just add a |
I can confirm that the hook does not update the cert for Unifii protect on port 7443, after doing a service unifi-protect restart, the correct cert was deployed. Nor sure if this is needed though since there is nothing there anymore.. I think UBNT only wants us to access protect from the cloud. |
As I said above, no, port 7443 is no longer used on CK Firmware v2+ for end user access. you now access the Protect web UI using the CK frontend on port 443. |
Yes, you could restart Edit: now that I say that though, if it's a CK on v1.x firmware (i.e., the unifi-core location doesn't exist), then if there's a |
When running on a Unifi Cloud Key device, also deploy to /etc/ssl/private/cloudkey.{crt,key} and reload nginx. This makes the new cert available for the Cloud Key management app running via nginx on port 443 (as well as the port 8443 Unifi Controller app the deploy hook already supported). Fixes acmesh-official#3326
* fix: unifi deploy hook also update Cloud Key nginx certs When running on a Unifi Cloud Key device, also deploy to /etc/ssl/private/cloudkey.{crt,key} and reload nginx. This makes the new cert available for the Cloud Key management app running via nginx on port 443 (as well as the port 8443 Unifi Controller app the deploy hook already supported). Fixes acmesh-official#3326 * Improve settings documentation comments * Improve Cloud Key pre-flight error messaging * Fix typo * Add support for UnifiOS (Cloud Key Gen2) Since UnifiOS does not use the Java keystore (like a Unifi Controller or Cloud Key Gen1 deploy), this also reworks the settings validation and error messaging somewhat. * PR review fixes * Detect unsupported Cloud Key java keystore location * Don't try to restart inactive services (and remove extra spaces from reload command) * Clean up error messages and internal variables * Change to _getdeployconf/_savedeployconf * Switch from cp to cat to preserve file permissions
* change arvan api script * change Author name * change name actor * Updated --preferred-chain to issue ISRG properly To support different openssl crl2pkcs7 help cli format * dnsapi/pdns: also normalize json response in detecting root zone * Chain (acmesh-official#3408) * fix acmesh-official#3384 match the issuer to the root CA cert subject * fix format * fix acmesh-official#3384 * remove the alt files. acmesh-official#3384 * upgrade freebsd and solaris * duckdns - fix "integer expression expected" errors (acmesh-official#3397) * fix "integer expression expected" errors * duckdns fix * Update dns_duckdns.sh * Update dns_duckdns.sh * Implement smtp notify hook Support notifications via direct SMTP server connection. Uses Python (2.7.x or 3.4+) to communicate with SMTP server. * Make shfmt happy (I'm open to better ways of formatting the heredoc that embeds the Python script.) * Only save config if send is successful * Add instructions for reporting bugs * Prep for curl or Python; clean up SMTP_* variable usage * Implement curl version of smtp notify-hook * More than one blank line is an abomination, apparently I will not try to use whitespace to group code visually * Fix: Unifi deploy hook support Unifi Cloud Key (acmesh-official#3327) * fix: unifi deploy hook also update Cloud Key nginx certs When running on a Unifi Cloud Key device, also deploy to /etc/ssl/private/cloudkey.{crt,key} and reload nginx. This makes the new cert available for the Cloud Key management app running via nginx on port 443 (as well as the port 8443 Unifi Controller app the deploy hook already supported). Fixes acmesh-official#3326 * Improve settings documentation comments * Improve Cloud Key pre-flight error messaging * Fix typo * Add support for UnifiOS (Cloud Key Gen2) Since UnifiOS does not use the Java keystore (like a Unifi Controller or Cloud Key Gen1 deploy), this also reworks the settings validation and error messaging somewhat. * PR review fixes * Detect unsupported Cloud Key java keystore location * Don't try to restart inactive services (and remove extra spaces from reload command) * Clean up error messages and internal variables * Change to _getdeployconf/_savedeployconf * Switch from cp to cat to preserve file permissions * feat: add huaweicloud error handling * fix: fix freebsd and solaris * support openssl 3.0 fix acmesh-official#3399 * make the fix for rsa key only * Use PROJECT_NAME and VER for X-Mailer header Also add X-Mailer header to Python version * Add _clearaccountconf_mutable() * Rework read/save config to not save default values Add and use _readaccountconf_mutable_default and _saveaccountconf_mutable_default helpers to capture common default value handling. New approach also eliminates need for separate underscore-prefixed version of each conf var. * Implement _rfc2822_date helper * Clean email headers and warn on unsupported address format Just in case, make sure CR or NL don't end up in an email header. * Clarify _readaccountconf_mutable_default * Add Date email header in Python implementation * Use email.policy.default in Python 3 implementation Improves standards compatibility and utf-8 handling in Python 3.3-3.8. (email.policy.default becomes the default in Python 3.9.) * Prefer Python to curl when both available * Change default SMTP_SECURE to "tls" Secure by default. Also try to minimize configuration errors. (Many ESPs/ISPs require STARTTLS, and most support it.) * Update dns_dp.sh 没有encode中文字符会导致提交失败 * No need to include EC parameters explicitly with the private key. (they are embedded) * Fixes response handling and thereby allow issuing of subdomain certs * Adds comment * fix acmesh-official#3402 * dnsapi/ionos: Use POST instead of PATCH for adding TXT record The API now supports a POST route for adding records. Therefore checking for already existing records and including them in a PATCH request is no longer necessary. * fix acmesh-official#3433 * fix acmesh-official#3019 * fix format * Update dns_servercow.sh to support wildcard certs Updated dns_servercow.sh to support txt records with multiple entries. This supports wildcard certificates that require txt records with the same name and different contents. * Update dns_servercow.sh to support wildcard certs Updated dns_servercow.sh to support txt records with multiple entries. This supports wildcard certificates that require txt records with the same name and different contents. * fix acmesh-official#3312 * fix format * feat: add dns_porkbun * fix: prevent rate limit Co-authored-by: Vahid Fardi <[email protected]> Co-authored-by: neil <[email protected]> Co-authored-by: Gnought <[email protected]> Co-authored-by: manuel <[email protected]> Co-authored-by: jerrm <[email protected]> Co-authored-by: medmunds <[email protected]> Co-authored-by: Mike Edmunds <[email protected]> Co-authored-by: Easton Man <[email protected]> Co-authored-by: czeming <[email protected]> Co-authored-by: Geert Hendrickx <[email protected]> Co-authored-by: Kristian Johansson <[email protected]> Co-authored-by: Lukas Brocke <[email protected]> Co-authored-by: anom-human <[email protected]> Co-authored-by: neil <[email protected]> Co-authored-by: Quentin Dreyer <[email protected]>
* fix: unifi deploy hook also update Cloud Key nginx certs When running on a Unifi Cloud Key device, also deploy to /etc/ssl/private/cloudkey.{crt,key} and reload nginx. This makes the new cert available for the Cloud Key management app running via nginx on port 443 (as well as the port 8443 Unifi Controller app the deploy hook already supported). Fixes acmesh-official#3326 * Improve settings documentation comments * Improve Cloud Key pre-flight error messaging * Fix typo * Add support for UnifiOS (Cloud Key Gen2) Since UnifiOS does not use the Java keystore (like a Unifi Controller or Cloud Key Gen1 deploy), this also reworks the settings validation and error messaging somewhat. * PR review fixes * Detect unsupported Cloud Key java keystore location * Don't try to restart inactive services (and remove extra spaces from reload command) * Clean up error messages and internal variables * Change to _getdeployconf/_savedeployconf * Switch from cp to cat to preserve file permissions
* fix: unifi deploy hook also update Cloud Key nginx certs When running on a Unifi Cloud Key device, also deploy to /etc/ssl/private/cloudkey.{crt,key} and reload nginx. This makes the new cert available for the Cloud Key management app running via nginx on port 443 (as well as the port 8443 Unifi Controller app the deploy hook already supported). Fixes acmesh-official#3326 * Improve settings documentation comments * Improve Cloud Key pre-flight error messaging * Fix typo * Add support for UnifiOS (Cloud Key Gen2) Since UnifiOS does not use the Java keystore (like a Unifi Controller or Cloud Key Gen1 deploy), this also reworks the settings validation and error messaging somewhat. * PR review fixes * Detect unsupported Cloud Key java keystore location * Don't try to restart inactive services (and remove extra spaces from reload command) * Clean up error messages and internal variables * Change to _getdeployconf/_savedeployconf * Switch from cp to cat to preserve file permissions
* fix: unifi deploy hook also update Cloud Key nginx certs When running on a Unifi Cloud Key device, also deploy to /etc/ssl/private/cloudkey.{crt,key} and reload nginx. This makes the new cert available for the Cloud Key management app running via nginx on port 443 (as well as the port 8443 Unifi Controller app the deploy hook already supported). Fixes acmesh-official#3326 * Improve settings documentation comments * Improve Cloud Key pre-flight error messaging * Fix typo * Add support for UnifiOS (Cloud Key Gen2) Since UnifiOS does not use the Java keystore (like a Unifi Controller or Cloud Key Gen1 deploy), this also reworks the settings validation and error messaging somewhat. * PR review fixes * Detect unsupported Cloud Key java keystore location * Don't try to restart inactive services (and remove extra spaces from reload command) * Clean up error messages and internal variables * Change to _getdeployconf/_savedeployconf * Switch from cp to cat to preserve file permissions
* fix: unifi deploy hook also update Cloud Key nginx certs When running on a Unifi Cloud Key device, also deploy to /etc/ssl/private/cloudkey.{crt,key} and reload nginx. This makes the new cert available for the Cloud Key management app running via nginx on port 443 (as well as the port 8443 Unifi Controller app the deploy hook already supported). Fixes acmesh-official#3326 * Improve settings documentation comments * Improve Cloud Key pre-flight error messaging * Fix typo * Add support for UnifiOS (Cloud Key Gen2) Since UnifiOS does not use the Java keystore (like a Unifi Controller or Cloud Key Gen1 deploy), this also reworks the settings validation and error messaging somewhat. * PR review fixes * Detect unsupported Cloud Key java keystore location * Don't try to restart inactive services (and remove extra spaces from reload command) * Clean up error messages and internal variables * Change to _getdeployconf/_savedeployconf * Switch from cp to cat to preserve file permissions
* change arvan api script * change Author name * change name actor * Updated --preferred-chain to issue ISRG properly To support different openssl crl2pkcs7 help cli format * dnsapi/pdns: also normalize json response in detecting root zone * Chain (acmesh-official#3408) * fix acmesh-official#3384 match the issuer to the root CA cert subject * fix format * fix acmesh-official#3384 * remove the alt files. acmesh-official#3384 * upgrade freebsd and solaris * duckdns - fix "integer expression expected" errors (acmesh-official#3397) * fix "integer expression expected" errors * duckdns fix * Update dns_duckdns.sh * Update dns_duckdns.sh * Implement smtp notify hook Support notifications via direct SMTP server connection. Uses Python (2.7.x or 3.4+) to communicate with SMTP server. * Make shfmt happy (I'm open to better ways of formatting the heredoc that embeds the Python script.) * Only save config if send is successful * Add instructions for reporting bugs * Prep for curl or Python; clean up SMTP_* variable usage * Implement curl version of smtp notify-hook * More than one blank line is an abomination, apparently I will not try to use whitespace to group code visually * Fix: Unifi deploy hook support Unifi Cloud Key (acmesh-official#3327) * fix: unifi deploy hook also update Cloud Key nginx certs When running on a Unifi Cloud Key device, also deploy to /etc/ssl/private/cloudkey.{crt,key} and reload nginx. This makes the new cert available for the Cloud Key management app running via nginx on port 443 (as well as the port 8443 Unifi Controller app the deploy hook already supported). Fixes acmesh-official#3326 * Improve settings documentation comments * Improve Cloud Key pre-flight error messaging * Fix typo * Add support for UnifiOS (Cloud Key Gen2) Since UnifiOS does not use the Java keystore (like a Unifi Controller or Cloud Key Gen1 deploy), this also reworks the settings validation and error messaging somewhat. * PR review fixes * Detect unsupported Cloud Key java keystore location * Don't try to restart inactive services (and remove extra spaces from reload command) * Clean up error messages and internal variables * Change to _getdeployconf/_savedeployconf * Switch from cp to cat to preserve file permissions * feat: add huaweicloud error handling * fix: fix freebsd and solaris * support openssl 3.0 fix acmesh-official#3399 * make the fix for rsa key only * Use PROJECT_NAME and VER for X-Mailer header Also add X-Mailer header to Python version * Add _clearaccountconf_mutable() * Rework read/save config to not save default values Add and use _readaccountconf_mutable_default and _saveaccountconf_mutable_default helpers to capture common default value handling. New approach also eliminates need for separate underscore-prefixed version of each conf var. * Implement _rfc2822_date helper * Clean email headers and warn on unsupported address format Just in case, make sure CR or NL don't end up in an email header. * Clarify _readaccountconf_mutable_default * Add Date email header in Python implementation * Use email.policy.default in Python 3 implementation Improves standards compatibility and utf-8 handling in Python 3.3-3.8. (email.policy.default becomes the default in Python 3.9.) * Prefer Python to curl when both available * Change default SMTP_SECURE to "tls" Secure by default. Also try to minimize configuration errors. (Many ESPs/ISPs require STARTTLS, and most support it.) * Update dns_dp.sh 没有encode中文字符会导致提交失败 * No need to include EC parameters explicitly with the private key. (they are embedded) * Fixes response handling and thereby allow issuing of subdomain certs * Adds comment * fix acmesh-official#3402 * dnsapi/ionos: Use POST instead of PATCH for adding TXT record The API now supports a POST route for adding records. Therefore checking for already existing records and including them in a PATCH request is no longer necessary. * fix acmesh-official#3433 * fix acmesh-official#3019 * fix format * Update dns_servercow.sh to support wildcard certs Updated dns_servercow.sh to support txt records with multiple entries. This supports wildcard certificates that require txt records with the same name and different contents. * Update dns_servercow.sh to support wildcard certs Updated dns_servercow.sh to support txt records with multiple entries. This supports wildcard certificates that require txt records with the same name and different contents. * fix acmesh-official#3312 * fix format * feat: add dns_porkbun * fix: prevent rate limit Co-authored-by: Vahid Fardi <[email protected]> Co-authored-by: neil <[email protected]> Co-authored-by: Gnought <[email protected]> Co-authored-by: manuel <[email protected]> Co-authored-by: jerrm <[email protected]> Co-authored-by: medmunds <[email protected]> Co-authored-by: Mike Edmunds <[email protected]> Co-authored-by: Easton Man <[email protected]> Co-authored-by: czeming <[email protected]> Co-authored-by: Geert Hendrickx <[email protected]> Co-authored-by: Kristian Johansson <[email protected]> Co-authored-by: Lukas Brocke <[email protected]> Co-authored-by: anom-human <[email protected]> Co-authored-by: neil <[email protected]> Co-authored-by: Quentin Dreyer <[email protected]>
* fix: unifi deploy hook also update Cloud Key nginx certs When running on a Unifi Cloud Key device, also deploy to /etc/ssl/private/cloudkey.{crt,key} and reload nginx. This makes the new cert available for the Cloud Key management app running via nginx on port 443 (as well as the port 8443 Unifi Controller app the deploy hook already supported). Fixes acmesh-official#3326 * Improve settings documentation comments * Improve Cloud Key pre-flight error messaging * Fix typo * Add support for UnifiOS (Cloud Key Gen2) Since UnifiOS does not use the Java keystore (like a Unifi Controller or Cloud Key Gen1 deploy), this also reworks the settings validation and error messaging somewhat. * PR review fixes * Detect unsupported Cloud Key java keystore location * Don't try to restart inactive services (and remove extra spaces from reload command) * Clean up error messages and internal variables * Change to _getdeployconf/_savedeployconf * Switch from cp to cat to preserve file permissions
When
--deploy-hook unifi
is used on a Unifi Cloud Key, it only deploys the certificate to one of the two locations needed. After a successful deploy, opening the Cloud Key management page shows a browser certificate error.Problem
A Unifi Cloud Key runs two https servers: the Unifi Controller app on port 8443 and the Cloud Key management app on port 443. The v2.8.8 unifi deploy hook only updates the keystore used for the Unifi Controller. This means browsing to the Cloud Key management app will show a certificate error, because the default self-signed cert is still being used.
(The unifi deploy hook works just fine for running Unifi Controller on your own machine; this is only a problem on Unifi's Cloud Key device.)
Steps to reproduce
[Substitute your own domain for "unifi.example.com"]
./acme.sh --deploy -d "unifi.example.com" --deploy-hook unifi
. Wait for it to complete successfully.Results: browser error about untrusted certificate
Expected: should be using your new certificate just like the Controller app does on port 8443
Debug log
[probably not helpful; click to show]
Suggested fix
When running on a Cloud Key, the unifi deploy hook also needs to:
service nginx restart
to reload the management appPR follows.
The text was updated successfully, but these errors were encountered: