Showing posts with label ssl. Show all posts
Showing posts with label ssl. Show all posts

Wednesday, August 30, 2023

Unifi Controller: update your SSL certificate

I am running my Unifi Controller (UC) inside a Docker container on my Synology from the excellent image provided by Jacob Alberty. I needed to update my SSL certificate and it took some time for me to figure out how to do that again.

My setup is that I have a number of folders mapped from the container to a volume on my NAS. /volume1/docker/unifi contains 3 folders: cert, data and logs. The cert folder contains the necessary SSL certificate. All my files are with extension *.pem and are also in the PEM format. Although the logging later on will hint that you should use the PKCS12 format, PEM works fine as well.
The files that are needed are:

  • cert.pem  # The Certificate
  • privkey.pem # Private key for the cert
  • chain.pem # full cert chain (this includes your intermediate pasted first, and right under it your root certificate)
  1. Login to your Synology through SSH
  2. Idenfity the Docker container ID of your UC
    3. docker ps
    Output: 
    CONTAINER ID        IMAGE                          COMMAND                  CREATED             STATUS              PORTS                                                                                                                                                                                NAMES
78bd86bc763a        7cdd2aec3527                   "/usr/local/bin/docke"   12 months ago       Up 23 minutes       0.0.0.0:6789->6789/tcp, 0.0.0.0:8080->8080/tcp, 0.0.0.0:8443->8443/tcp, 0.0.0.0:8843->8843/tcp, 0.0.0.0:3478->3478/udp, 0.0.0.0:10001->10001/udp, 6789/udp, 0.0.0.0:8880->8880/tcp   unifi
  3. Create a backup of your running SSL certificate into the folder _backups
    4. cd /volume1/docker/unifi/cert && mv *.pem _backups/
  4. Copy your new files onto your Synology (/usr/syno/etc/certificate/system/default) and keep the naming as mentioned above: cert.pem, privkey.pem and chain.pem.
  5. Check the permissions and set them to user only
    6. chmod 400 *.pem*
  6. Restart the Docker container (through command line or the Synology webconsole)
  7. Monitor the progress of the container rebooting. Replace 78bd86bc763a with your actual container ID. The below highlights that a new certificate was found and it is being updated in the UC. In the case where you keep seeing the old certificate after rebooting, you have probably updated the cert in the wrong place. Try again.
    8. docker logs -f 78bd86bc763a
    Logging: 
    [2019-02-09 08:08:13,866]  Starting unifi controller service.
[2019-02-09 08:08:13,868]  WARNING: Running UniFi in insecure (root) mode
[2019-02-09 08:12:27,477]  Exit signal received, shutting down
[2019-02-09 08:12:33,211]  Cert directory found. Checking Certs
[2019-02-09 08:12:33,440]  Cert has changed, updating controller...
[2019-02-09 08:12:33,443]  Using openssl to prepare certificate...
[2019-02-09 08:12:33,488]  Removing existing certificate from Unifi protected keystore...
[2019-02-09 08:12:33,903]  Inserting certificate into Unifi keystore...
Importing keystore /tmp/tmp.cuWCGLJI1p to /unifi/data/keystore...

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /unifi/data/keystore -destkeystore /unifi/data/keystore -deststoretype pkcs12".
[2019-02-09 08:12:34,684]  Cleaning up temp files
[2019-02-09 08:12:34,688]  Done!
[2019-02-09 08:12:34,692]  Starting unifi controller service.
[2019-02-09 08:12:34,693]  WARNING: Running UniFi in insecure (root) mode
  8. Try to browse to the UC and check the certificate in your browser. Keyboard shortcut Command+Option+J in Chrome on Mac.
Posted at No comments:
Labels: , , , ,

Friday, August 2, 2019

Renew your wildcard certificate on your DSM Webstation and OpenVPN server

Are you having a wildcard (*.yourdomain.com) SSL certificate that is expiring and needs a renewal? Below are the steps to take to renew it on a Synlogy DSM. I also use the certificate for the OpenVPN server on the DSM. So I need to update it twice.

Convention:

  • Certificate: server.crt
  • Private key: server.key
  • Intermediate: ca_bundle.crt
  • Root: ca.crt


Receive a new wildcard certificate

  • Login in DSM https://ip:5001
  • SSH into the DSM
    • cd /usr/syno/etc/packages/VPNCenter/openvpn/keys
  • copy the ca_bundle.crt file
  • In the DSM: Control Panel > Security > Certificate
  • Click on CSR, then renew certificate
  • Select the Country and download CSR and the private key.
  • Go to ssl2buy.com to buy a new wildcard certificate from alphassl.com
  • Enter the CSR (generated by your DSM) and select approval method admin@yourdomain.com
  • Go to your webmail and login with the admin@yourdomain.com account to check for the email to approve your new purchase
  • Click on the approval email request to issue out the certificate (you get an email with the certificate from ssl2buy)
  • Add a new certificate by entering the server.key, server.crt and ca_bundle.crt files in the wizard
  • Click on Edit to set the new certificate as the Default one, then remove the old (inactive) one. The webserver should restart itself now with the new certificate
Tip: The intermediate certificate (in base64 format) from AlphaSSL can be downloaded here


Update the certificates for the OpenVPN server

  • SSH into the DSM and make yourself root
    • sudo -i
cd /usr/syno/etc/packages/VPNCenter/openvpn/keys
  • Make a new folder for the last time you created/renewed your certificate under "history" directory. Move the (old) certificates there to as a backup.
    • mkdir history/YYYY-MM-DD
mv server.* history/YYYY-MM-DD
cp -rp ca* history/YYYY-MM-DD
  • Add the new private key, certificate and intermediate by doing vi server.key ... Do this for the 2 server files mentioned under Convention.
  • Make the files owner readable only
    • chmod 400 server*
chmod 400 ca*
  • Restart the OpenVPN server
    • /var/packages/VPNCenter/target/scripts/openvpn.sh restart


And you should be good to go for another year...
Posted at No comments:
Labels: , , , , , ,

Friday, March 23, 2018

Renew your Let's Encrypt certificate

You are using a Let's Encrypt certificate, but get the warning that it will expire. These are the quick steps to renew it.

  1. Adapt your DNS and point it for the domain to your public IP (if it is currently pointing to an internal IP e.g. 192.168.Y.X)
  2. Enable port forwarding for port 80/443 for this internal IP
  3. Run the renewal
    sudo certbot renew
  4. If successful, disable the port forwarding again
  5. Change the DNS again
      Posted at No comments:
      Labels: , , , , , , ,

      Sunday, November 20, 2016

      Enable HTTPS for EmonCMS on Raspbian

      Our EmonCMS installation at home currently runs only over HTTP, which is not secure at all. Enabling HTTPS is a must do. However, there's a small tweak needed for it to work at the AllowOverride option.
      Tip: If you run into the issue where you have HTTPS enabled, but the logging in returns always the login screen with message 'undefined', follow the fix explained below.

      Check if HTTPS is already enabled for your Apache installation:

      root@raspi1:~# netstat -an | grep LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
      As you can see, there is nothing running on port 443 (HTTPS) yet, so we'll need to enable the HTTPS configuration for Apache.

      Enable the default HTTPS (SSL) configuration for Apache:

      1. Check if the SSL module is already enabled for Apache.
      root@raspi1:~# ls -l /etc/apache2/mods-enabled/*ssl*
root@raspi1:~#

      If nothing is returned, the module is not enabled yet and needs to be linked from /etc/apache2/mods-available/

      2. Make a symbolic link for the SSL module.
      root@raspi1:~# cd /etc/apache2/mods-enabled/
root@raspi1:~# ln -s ../mods-available/ssl.conf ssl.conf
root@raspi1:~# ln -s ../mods-available/ssl.load ssl.load

      3. Make a symbolic link for the SSL config file.
      root@raspi1:~# cd /etc/apache2/sites-enabled/
root@raspi1:~# ln -s ../sites-available/default-ssl 000-default-ssl

      4. Change two lines in the config file.
              DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                #Changed None to All on 18/11/2016
                AllowOverride All
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                #Changed None to All on 18/11/2016
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

      5. Restart your Apache now.
      root@raspi1:~# /etc/init.d/apache2 restart

      This tip came from here.
      Posted at No comments:
      Labels: , , , , , , , , , , ,
      Subscribe to: Posts (Atom)