Wednesday, August 30, 2023

Unifi Controller: update your SSL certificate

I am running my Unifi Controller (UC) inside a Docker container on my Synology from the excellent image provided by Jacob Alberty. I needed to update my SSL certificate and it took some time for me to figure out how to do that again.

My setup is that I have a number of folders mapped from the container to a volume on my NAS. /volume1/docker/unifi contains 3 folders: cert, data and logs. The cert folder contains the necessary SSL certificate. All my files are with extension *.pem and are also in the PEM format. Although the logging later on will hint that you should use the PKCS12 format, PEM works fine as well.
The files that are needed are:

  • cert.pem  # The Certificate
  • privkey.pem # Private key for the cert
  • chain.pem # full cert chain (this includes your intermediate pasted first, and right under it your root certificate)
  1. Login to your Synology through SSH
  2. Idenfity the Docker container ID of your UC
    3. docker ps
    Output: 
    CONTAINER ID        IMAGE                          COMMAND                  CREATED             STATUS              PORTS                                                                                                                                                                                NAMES
78bd86bc763a        7cdd2aec3527                   "/usr/local/bin/docke"   12 months ago       Up 23 minutes       0.0.0.0:6789->6789/tcp, 0.0.0.0:8080->8080/tcp, 0.0.0.0:8443->8443/tcp, 0.0.0.0:8843->8843/tcp, 0.0.0.0:3478->3478/udp, 0.0.0.0:10001->10001/udp, 6789/udp, 0.0.0.0:8880->8880/tcp   unifi
  3. Create a backup of your running SSL certificate into the folder _backups
    4. cd /volume1/docker/unifi/cert && mv *.pem _backups/
  4. Copy your new files onto your Synology (/usr/syno/etc/certificate/system/default) and keep the naming as mentioned above: cert.pem, privkey.pem and chain.pem.
  5. Check the permissions and set them to user only
    6. chmod 400 *.pem*
  6. Restart the Docker container (through command line or the Synology webconsole)
  7. Monitor the progress of the container rebooting. Replace 78bd86bc763a with your actual container ID. The below highlights that a new certificate was found and it is being updated in the UC. In the case where you keep seeing the old certificate after rebooting, you have probably updated the cert in the wrong place. Try again.
    8. docker logs -f 78bd86bc763a
    Logging: 
    [2019-02-09 08:08:13,866]  Starting unifi controller service.
[2019-02-09 08:08:13,868]  WARNING: Running UniFi in insecure (root) mode
[2019-02-09 08:12:27,477]  Exit signal received, shutting down
[2019-02-09 08:12:33,211]  Cert directory found. Checking Certs
[2019-02-09 08:12:33,440]  Cert has changed, updating controller...
[2019-02-09 08:12:33,443]  Using openssl to prepare certificate...
[2019-02-09 08:12:33,488]  Removing existing certificate from Unifi protected keystore...
[2019-02-09 08:12:33,903]  Inserting certificate into Unifi keystore...
Importing keystore /tmp/tmp.cuWCGLJI1p to /unifi/data/keystore...

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /unifi/data/keystore -destkeystore /unifi/data/keystore -deststoretype pkcs12".
[2019-02-09 08:12:34,684]  Cleaning up temp files
[2019-02-09 08:12:34,688]  Done!
[2019-02-09 08:12:34,692]  Starting unifi controller service.
[2019-02-09 08:12:34,693]  WARNING: Running UniFi in insecure (root) mode
  8. Try to browse to the UC and check the certificate in your browser. Keyboard shortcut Command+Option+J in Chrome on Mac.
Posted at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)