Cloud Key Remote Authentication returns false

[julius-gitonga]

I am creating a web service based on the Unifi-API-client and slim3 but i am unable to login to the cloud key controller from outside the network. The responds with a 'false'. Kindly assist

//Cloud Key Object 'cloudkey'=>[ 'controlleruser'=>'', 'controllerpassword'=>'', 'controllerurl' => 'https://unifi.ui.com', 'controllerversion'=>'6.5.55.0' ], //Login Function public function login(Request $request, Response $response, $args){ $siteid= !empty($args['id']) ? $args['siteid'] : 'Default'; $unifi_connection = new Client($this->cloudkey['controlleruser'], $this->cloudkey['controllerpassword'], $this->cloudkey['controllerurl'], $siteid, $this->cloudkey['controllerversion'], false);

    return $response->withJson($unifi_connection->login());
}

[malle-pietje]

The API client requires direct access with a local account as explained here: https://github.com/Art-of-WiFi/UniFi-API-client#requirements

[julius-gitonga]

Thanks @malle-pietje I am using a user with local access. See the debug log below false

-----------LOGIN-------------
Array
(
    [url] => https://unifi.ui.com/api/login
    [content_type] => text/html
    [http_code] => 403
    [header_size] => 317
    [request_size] => 184
    [filetime] => -1
    [ssl_verify_result] => 0
    [redirect_count] => 0
    [total_time] => 0.011902
    [namelookup_time] => 3.9E-5
    [connect_time] => 3.9E-5
    [pretransfer_time] => 0.00013
    [size_upload] => 52
    [size_download] => 1053
    [speed_download] => 95727
    [speed_upload] => 4727
    [download_content_length] => 1053
    [upload_content_length] => 52
    [starttransfer_time] => 0.000133
    [redirect_time] => 0
    [redirect_url] => 
    [primary_ip] => 52.84.102.24
    [certinfo] => Array
        (
        )

    [primary_port] => 443
    [local_ip] => 192.168.100.51
    [local_port] => 58718
    [http_version] => 3
    [protocol] => 2
    [ssl_verifyresult] => 0
    [scheme] => HTTPS
    [appconnect_time_us] => 40
    [connect_time_us] => 39
    [namelookup_time_us] => 39
    [pretransfer_time_us] => 130
    [redirect_time_us] => 0
    [starttransfer_time_us] => 133
    [total_time_us] => 11902
)

----------RESPONSE-----------
HTTP/2 403 

server: CloudFront

date: Sat, 19 Mar 2022 18:32:49 GMT

content-type: text/html

content-length: 1053

x-cache: Error from cloudfront

via: 1.1 343d4fe0c49779d57600253095f9f7e4.cloudfront.net (CloudFront)

x-amz-cf-pop: NBO50-C1

x-amz-cf-id: cAd2eBqw78AJfUgQMf_6a-nhLpcpy5BUEVudeco4MJNg0QNQJ279qg==





403 ERROR
The request could not be satisfied.

This distribution is not configured to allow the HTTP request method that was used for this request. The distribution supports only cachable requests.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.


If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.



Generated by cloudfront (CloudFront)
Request ID: cAd2eBqw78AJfUgQMf_6a-nhLpcpy5BUEVudeco4MJNg0QNQJ279qg==




-----------------------------

[thib3113]

@julius-gitonga I think the problem is you try to connect to unifi.ui.com . and not directly to your local unifi :), use unifi domain, or cloud key ip .

[julius-gitonga]

Thanks @thib3113 . I have obtained the cloud key IP from the debug terminal as explained https://community.ui.com/questions/How-to-find-the-Public-IP-Address-of-a-remote-UNIFI-Cloud-Key-Controler/02402b38-ce5d-4949-bc52-539fe81e9d26 but i am still not able to connect. My guess is that port 8443 is not allowed on unifi.ui.com, is there a work around for this?

[thib3113]

@julius-gitonga no ... you don't understand ...

I think, you need to set controllerurl to the cloudkey ip . ( to get it, check on your local network ? or how you configure it ? maybe a domain unifi that point to it ? ) .

And so, the APIClient will directly talk witht the cloud key ...

In fact, talking to unifi.ui.com is not easy for an API client, and it's not really a good idea for simple project. ( it need to keep the password secret, or to manage the OTP, and the profil will be accessible for everyone, so need to use a really strong security policy )

[julius-gitonga]

@thib3113 I have set the controllerurl to the cloudkey ip I am creating a REST API to access the unifi network controller remotely via the API client. So will be possible to connect to the cloud key from a server located outside the network?

[thib3113]

directly to the cloud key ? I think you can do it with a VPN, or things like that :) .

I didn't recommend to expose the cloud key outside .

[julius-gitonga]

Thanks @thib3113..Let me keep trying. I am only exposing select endpoints via a REST API

[thib3113]

@julius-gitonga yes, just please, check all the data you are sending ... unifi controller send some really critical informations ( like some passwords in clear / secret keys ... ) .