-
-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Report bugs to unifi deploy hook #3359
Comments
just curious tho this might not be related purely to the unifi deploy hook (first time using acmesh, used certbot before) but i couldn't find something on that matter: does the cronjob that comes with acme is also deploying the certs? |
@blackjack4494 yes, acme.sh saves your deploy-hook settings, and re-deploys with those same settings after a successful cron certificate renewal. (This applies to all deploy hooks, not just unifi.) |
I'm just replacing an Ubuntu 16.04 VM running Unifi with a new VM running 22.04. When trying to use the unifi hook (which worked great on 16.04), I get
I can run
and see 1 existing certificate in the keystore (either providing no password or the default one in the script). I wonder if this relates to it as it mentions Ubuntu Jammy (which is v22) but I'm unsure if I can add the -legacy parameter in the script and if, so where. |
I realised the topkcs routine called in unifi.sh lives in the main acme.sh file, so I added -legacy to the first call in that (line 1427 on my system). That line now reads:
And the import now works. |
@SupersixEvo thanks for tracking this down. @Neilpang this affects |
@medmunds add one more parameter to the in the deploy hook, invoke it with value |
also, you should check if current openssl supports "-legacy" option first. |
Can confirm that this works, though my openssl does not accept -legacy directly? |
I had a problem with a CloudKey G2+. The deploy script seemed to think it was a Gen1, so deployment failed.
The script was looking for /etc/ssl/private/cloudkey.key to identify it as a G1, and that file did exist but was > 2 years old. I wonder if it used to use nginx before it upgraded itself to use Unifi OS. and then the deploy ran fine.
|
Just to add a +1 to robinalden's comment above. My CloudKey2 was upgraded from UnifiOS 1 --> 2.x --> 3.x and I had exactly the same issue with the deploy hook until I renamed /etc/ssl/private. Perhaps there is a better way to detect the OS version? |
from unifi-utilities case "$(ubnt-device-info firmware || true)" in |
Not strictly a deploy issue, but ECC certs borked unifi-core on my CloudKey Gen2 Plus running firmware v3.1.13. Blew away the ECC certs, reissued RSA certs, and redeployed to fix. |
There should be a status check var. You're assuming we're (FreeBSD) using systemd. The same for the other systectl usage. |
I found I had trouble deploying my certs on my UDR running Unifi OS (3.1.16). It seems I'd fall foul of this line as for some reason I had a keystore file at
From a bit of searching around it seems that the guest hotspot portal (which I have enabled) may use the I ended up hacking the deploy hook to avoid running the |
Trying this on a Unifi Express ... wish me luck! == will delete this comment if no issues No keytool (line 103) on Unifi Express. Wonder what they use? Asked in the community over there, see if I get a response. https://community.ui.com/questions/Keytool-alternative-on-UniFi-Express/5154559a-b064-4f41-a183-a106b9e690dc |
We need a check for keytool and if it does not exist use openssl. |
Running a Unifi Dream Machine with the same poblem. I'm not sure openssl can create a Java keystore. You'll notice that the java binaries are also removed. I got my response from Ubiquiti support yesterday, told me SSL isn't their problem. Hacky fix is just to reinstall keytool: apt update && apt install openjdk-11-jre-headless -y puts it in place with a few other packages that seem harmless enough. YMMV with support on that, and likely need to re-run after an update. openjdk-17 is newer, but loads a lot more packages. There's also a minor problem with the UDM running hotspot portal. I need to redeploy a few times to see what's going on, but I think the keystore shouldn't have the CA as well. Error in the log is that "2 certificates were found, only 1 expected." Manually creating the keystore fixes it. |
Once the keytool problem is sorted and the certificates correctly converted to a JKS keystore, the next problem is that the default Unifi console uses weak ciphers that aren't compatible with the default RSA certificates from letsencrypt. The system configuration needs to be updated for hotspot portal (and potentially other services to work.) |
I recently updated my CloudKey G2 to After getting the certs issued and running this hook, I could see /data/unifi-core/config/unifi-core.key and unifi-core.crt update at first, but when the unifi service restarted, both files were replaced with self-signed RSA certs. I noticed that the certs getting wiped out were ECC, which seemed new with this version of acme.sh. After fiddling with some different options, issuing with |
Openssl can create a java compatible keystore. If fact you should be using it instead of keytool these days for acme.sh. The instructions are here https://docs.oracle.com/cd/E19509-01/820-3503/ggfhb/index.html Modern java implementations are moving away from the old proprietry keystore format to the new pkcs12 format which is the type openssl can create. Example below. The alias should be the same as the one it uses now for the current certificate and key in the keystore. You cannot use this to update a keystore, only create it. Please note a password is mandatory for it to be a java compatible keystore. $ cat mykey.pem.txt mycertificate.pem.txt>mykeycertificate.pem.txt
$ openssl pkcs12 -export -in mykeycertificate.pem.txt -out mykeystore.pkcs12
-name myAlias -noiter -nomaciter |
It looks like you're correct. Every implementation of this Unifi certificate installation was converting to PKCS12 and then importing that to JKS. All the historical documents I could find from Unifi have that as the process as well. I just re-deployed, skipping the JKS import, and it handles the pkcs12 just fine. |
Fantastic! Does that mean we have solved the problem? That would be a great outcome! Can you send me links to the historical documents? I am itching to use this on my UX. Happy to drop in a patched unifi deploy hook to test for here then I can write it up. You guys have a wiki or a pages site for this place? |
Potentially. Tested on a UDM (not the UDM Pro), and don't have any other devices to test with. Welcome to take a look at my updates: Here's where I am with it: I also had to change the logic for service restart. If unifi is running while unifi-core restarts, it throws an error: This seems to break both wifiman and the hotspot portal, but I don't use wifiman. The hotspot portal now works, but you have to turn encryption off and back on after deploying a new cert for some reason. That's not a new bug though. |
Hey all: I no longer own a working CloudKey, so can't really provide support for the unifi deploy hook. (Also, I didn't create it—I just fixed a bug and opened this issue.) If something's broken and you're able to fix it, please open a PR. And mention #3359 in your PR comments so it shows up here. Neilpang (the acme.sh creator/maintainer) has been really responsive about merging fixes while maintaining high project quality. (Especially considering the huge number of PRs this project gets.) But Neil also doesn't run Unifi, so the folks here that are using it will need to make sure proposed fixes work for all the versions of CloudKey and self-hosted Unifi Controller the unifi deploy hook supports. If anyone is able to help with unifi deploy hook maintenance and wants to be on the "assignees" list for this issue, let Neilpang know. (I've removed myself as the assignee.) Also, if the unifi deploy hook doesn't meet your needs, there are a couple of alternatives depending on your setup:
|
Found a patch to unifi.sh tested on UnifiOS 4.0.7 on Cloud Gateway Ultra. Here it is. https://gist.github.com/mry/61125fba7b474c0c61cccc4100dd6e02 |
Whats required to get your revisions commited? I could potentially test it on a CKG2+ and a Cloud Gateway Ultra. |
It looks like the Unifi has yet another new keystore to manage. @petrus9 's linked patch removes compatibility with other/older devices. I'll get back on this in the next few days. Edit: The new unifi-core-direct.crt file which @petrus9 's link modifies appears to be a LE signed certificate for a cn ".id.ui.direct" Changing this seems like a bad idea, since I don't know what Ubiquiti is using it for. This patch does specifically fix the keytool not found error to allow the web interface certificate to work, but it also breaks a lot of other things, such as the captive portal and probably CloudKey compatibility. |
I'm away from my network for another week and I'm not going to test this over VPN in case it breaks VPN. But if you want to test before then, I've pushed my latest to my dev branch. Note, I did not integrate the above patch for reasons in my above post. I'll do a PR and finally get it merged once I'm able to test myself. https://github.com/3VAbdAVE/acme.sh/blob/dev/deploy/unifi.sh |
@3VAbdAVE I recently redeployed my Cloud Gateway Ultra and tried your fix: it seems to work without breaking any of the aforementioned endpoints. Huzzah! |
@3VAbdAVE I noticed that this doesn't configure the RADIUS server certificates. Is it supposed to? |
I figured out how to replace the RADIUS cert myself. I'll do a pull request with that once I get caught up on some things. |
No, I don't use that feature. Quick search looks like it's just another copy to /etc/freeradius? Good to hear it's working though. I'll be able to test myself on Monday, and can pull request after that. |
Ok, well my pull request got rejected twice because of shellfmt, which works fine on my end. If someone wants to look at it and let me know what I'm missing, plz have at it. |
I've encountered a couple of minor issues whilst attempting to use the deploy/unifi.sh script with a self-hosted controller… Lines 144 to 150 in fc7f861
makes assumptions regarding the location of the "system.properties" file (i.e. that it will be located at "/usr/lib/unifi/data/system.properties"), this is not the case for my deployment; mine happens to be located at "/usr/local/unifi/data/system.properties". It's probably reasonable to assume that the "system.properties" configuration is in the same directory as the "keystore" , in which case Also, my system doesn't use systemd, so the unguarded use of Line 159 in fc7f861
Something like Lines 205 to 207 in fc7f861
|
Good points, mostly artifacts of only having my own udm to test with. I can tinker with making things more dynamic in the next few days, but someone else will need to test. |
Kinda punted on this, moved @Dadeos concerns into DEPLOY environment variables. I did remove the explicit calls to systemctl. Probably safe to assume the service is running if the files/directories exist. I just don't have any way to test it outside my UDM. |
On UnifiOS 4.0.18 with a CloudKey Gen 2 tghe Unifi deploy hook fasils with the following error:
Commenting out https://github.com/acmesh-official/acme.sh/blob/master/deploy/unifi.sh#L186-L189 and run
|
This is the place to report bugs in the unifi deploy hook.
If you experience a bug with
--deploy-hook unifi
, please report it in this issue. (Please include the--debug
output to assist in diagnosing any problems.)Thanks!
The text was updated successfully, but these errors were encountered: