Securing UniFi Cloud Key with SSL certificate from RapidSSL

You may also like...

  • Pingback: Securing Ubiquiti UniFi Cloud Key with Let’s Encrypt SSL and automatic dns-01 challenge | naschenweng.info()

  • Tommy

    I did what you have shown us and it worked but after rebooting the CloudKey the CloudeKey started using other certificated with error that is not valid
    Issued to: San Jose
    Issued by: San Jose
    Valid from 1/26/2017 to 1/27/2027

    I removed the sym link that reference to the self signed cert and after that i can not restart the web server.

    [email protected]:~# keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -srckeystore /etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi
    Existing entry alias unifi exists, overwrite? [no]: yes
    [email protected]:~# /etc/init.d/nginx restart [….] Restarting nginx (via systemctl): nginx.serviceJob for nginx.service failed. See ‘systemctl status nginx.service’ and ‘journalctl -xn’ for details.
    failed!
    [email protected]:~# /etc/init.d/nginx restart [….] Restarting nginx (via systemctl): nginx.serviceJob for nginx.service failed. See ‘systemctl status nginx.service’ and ‘journalctl -xn’ for details.
    failed!
    [email protected]:~# /etc/init.d/unifi restart [email protected]:~# reboot

    • That looks wrong. As far as I understand when the UCK reboots it will check the content of /etc/ssl/private/cert.tar against the files in /etc/ssl/private/ and if they are not the same, it will unpack cert.tar and overwrite files in /etc/ssl/private.

      I used the above SSL config for several days and did upgrades and reboots on the UCK and the SSL config remained intact. I have subsequently moved on to Let’s Encrypt (I have a blog-post up about how to configure this as well), and can only suggest to check the content of your /etc/ssl/private directory and the cert.tar in it.

      • Tommy

        Tommy

        I reset the CloudKey to factory default and upgraded the firmware to the latest . Have u upgraded ur CloudKey 0.5.9 and Controller 5.4.9? I use Namecheap for the certificate. I worked with normal controller on ubuntu in the past. Let me reset the CKey again and try. Do u have any sugestins where to look for errors?

        Thanks for your tutorial and help.

      • tommy

        IT WORKS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

        i reset the ckey to default CLOSED ALL open unifi ckey portal windows and install the cert in 5 min and then upgraded n rebooted 2 times. n STILL WORKS HURREY!.
        Lets hope itll stay this way.

        Thx a lot.

        • I am glad you got it sorted. I am on UCK 0.5.9 and was initially on 5.3.X and then upgraded to the 5.4.9. The SSL certs and configuration stayed. I did notice that after the 5.4.9 upgrade, I could not reach my UCK from the outside, but this was an unrelated issue.

          • Tommy

            Thanks a lot once again

            I still have a problem with setting up Unifi Ckey Guest portal. It give error msg and after acknowledgement the dialog box it redirects to the Unifi Ckey controller IP address. I set the Guest portal to “Force HTTPS redirect” ON.

            Do i have to specify in the certificate issuer address? in my case NameCheap.com? so the client browser that loads the Certificate can connect to validate to internet?

            What do you think?

          • Tommy

            Forgot to tell u, in “Allow Networks” in “Guest Portal” should i enter there IP of NameCheap.com validation address? Or something else?

          • Tommy

            Thanks a lot once again

            I still have a problem with setting up Unifi Ckey Guest portal. It give error msg and after acknowledgement the dialog box it redirects to the Unifi Ckey controller IP address. I set the Guest portal to “Force HTTPS redirect” ON.

            Do i have to specify in the certificate issuer address? in my case NameCheap.com? so the client browser that loads the Certificate can connect to validate to internet?

            What do you think?

          • I have not yet done anything with the Guest portal and just looked at the options now. It is my assumption that you can access your cloud controller via https://yourdomain.com (i.e. the same domain name you issued the cert against). If this is the case, I think you should be able to just tick all 3 redirect options under those settings and it should work.

            Perhaps you specified the redirect URL wrong or the issued cert is wrong. One suggestion would be to use the chat function and have Ubiquiti support have a look at it – I did it the other day where they used Teamviewer and helped with a configuration issue.

          • tom

            Thanks

            Yea, it redirect me to IP address ex: 192.168.22.30 instead of my domain name, and throws error dialog box. I will try the chat u told me.

            Thanks

  • Tommy

    “Huston We Got A Problem!!”

    Gerd i still got a problem with the certificate. It works for the Cloud key controller and CK itself, but it doesnt work with Guest Portal. I am getting error msg saying that the certificate is not trusted when users try load the Guest Portal Page.

    • Lol. There could be a number of reasons (fair warning: I don’t use the guest-portal, so I am making guesses): If the Guest Portal is HTTPS, check if it actually loads your cert. If it does, it could very well be a mixed content issue (i.e. the portal uses hardcoded http://-links). If it does not load your cert, then it might be another config issue or it is redirecting to the wrong URL.

      • Tommy

        Hi

        it loads on my desktop pc OK but not on my smartphone I get cert err/warning even when i try to load CKey controler login screen . I assume that my smartphone is the problem but it has no issues with loadin internet sites ex: https://google.com and others. Any idea how to get ride off that err msg on my cell?

        • To rule out any cert issues, I would run a SSL test via https://ssllabs.com/ssltest/analyze.html?d=yourdomain – I know that some CA’s (such as STARTSSL) were distrusted by Mozilla, but SSLLabs will show this.

          Perhaps the mobile phone renders the guest pages differently, causing the SSL error (one option would be to simulate the user-agent to see the pages on the desktop). You can also do this via curl/wget. Perhaps the mobile version has mixed content?

          • Tommy

            I got this:

            Additional Certificates (if supplied)
            Certificates provided 1 (1362 bytes)
            Chain issues Incomplete

            u got:

            Additional Certificates (if supplied)
            Certificates provided 3 (4727 bytes)
            Chain issues None

  • Felix Nielsen

    awsome post 🙂 – thanks