search

alxwolf / ubios-cert

Manage SSL / TLS certificates with acme.sh (Let's Encrypt, ZeroSSL) for Ubiquiti UbiOS firmwares
MIT License
172 stars 20 forks source link

UNVR Support #55

Closed ther3zz closed 1 year ago

ther3zz commented 1 year ago

Does anyone know if this will work on the UNVR? It would be cool to be able to set an SSL cert on this device as well. Seems like it runs as its own instance in the unifi ecosystem.

alxwolf commented 1 year ago

This is a theoretical approach as I don't own an UniFi NVR to be able to check.

Looking at this page, it appears that certificate locations on UNVR are the same as on UDM. So that should work.

The only step left is to issue a systemctl restart unifi-protect command, which the script currently does not do (or reboot the device, which we want to avoid to not interrupt network connection).

So you could try deploying the script on UNVR with a manual restart of device or service - if it does not work just trash the /data/ubios-cert/ folder and delete the LE .crt and .key in /data/unifi-core/config. They will be re-created on next reboot (with standard UniFi self-signed cert) if the files don't exist.

ther3zz commented 1 year ago

This is a theoretical approach as I don't own an UniFi NVR to be able to check.

Looking at this page, it appears that certificate locations on UNVR are the same as on UDM. So that should work.

The only step left is to issue a systemctl restart unifi-protect command, which the script currently does not do (or reboot the device, which we want to avoid to not interrupt network connection).

So you could try deploying the script on UNVR with a manual restart of device or service - if it does not work just trash the /data/ubios-cert/ folder and delete the LE .crt and .key in /data/unifi-core/config. They will be re-created on next reboot (with standard UniFi self-signed cert) if the files don't exist.

So close! once I run "./deploy.sh" receive the following errors: ./deploy.sh: 6: ubnt-device-info: not found ./deploy.sh: 8: ubnt-device-info: not found ./deploy.sh: 20: [: -gt: unexpected operator Unsupported firmware:

alxwolf commented 1 year ago

Well, UNVR is not foreseen in this script, and the device seems to lack at least one required command.

Does the UNVR have a /data directory? On your own risk (if it goes wrong, it should not break "too much" - if anything), you could manually run these commands to achieve deployment:

set -e
DATA_DIR=/data
SCRIPT_DIR=$(dirname ${0})
ACME_URL=$(curl -s https://api.github.com/repos/acmesh-official/acme.sh/releases/latest | grep tarball_url | awk '{ print $2 }' | sed 's/,$//' | sed 's/"//g')
curl -L "${ACME_URL}" > acmesh.tar.gz 
mkdir -p "${SCRIPT_DIR}/ubios-cert/acme.sh"
tar -xvf acmesh.tar.gz --directory="${SCRIPT_DIR}/ubios-cert/acme.sh" --strip-components=1 
chmod +x ${SCRIPT_DIR}/ubios-cert/ubios-cert.sh
mv "${SCRIPT_DIR}/ubios-cert/" "${DATA_DIR}/ubios-cert/"
rm -rf ${SCRIPT_DIR}/../ubios-cert-main ~/ubios-cert.zip
echo "Deployed with success in ${DATA_DIR}/ubios-cert"
cd ${DATA_DIR}/ubios-cert

that is the bare minimum to grab acme.sh and put everything in its place.

ther3zz commented 1 year ago

Well, UNVR is not foreseen in this script, and the device seems to lack at least one required command.

Does the UNVR have a /data directory? On your own risk (if it goes wrong, it should not break "too much" - if anything), you could manually run these commands to achieve deployment:

set -e
DATA_DIR=/data
SCRIPT_DIR=$(dirname ${0})
ACME_URL=$(curl -s https://api.github.com/repos/acmesh-official/acme.sh/releases/latest | grep tarball_url | awk '{ print $2 }' | sed 's/,$//' | sed 's/"//g')
curl -L "${ACME_URL}" > acmesh.tar.gz 
mkdir -p "${SCRIPT_DIR}/ubios-cert/acme.sh"
tar -xvf acmesh.tar.gz --directory="${SCRIPT_DIR}/ubios-cert/acme.sh" --strip-components=1 
chmod +x ${SCRIPT_DIR}/ubios-cert/ubios-cert.sh
mv "${SCRIPT_DIR}/ubios-cert/" "${DATA_DIR}/ubios-cert/"
rm -rf ${SCRIPT_DIR}/../ubios-cert-main ~/ubios-cert.zip
echo "Deployed with success in ${DATA_DIR}/ubios-cert"
cd ${DATA_DIR}/ubios-cert

that is the bare minimum to grab acme.sh and put everything in its place.

Yup, /data does exist. I'll run the above and will report back!

ther3zz commented 1 year ago

OK So looks like using the modified deploy script worked but the ./ubios-cert.sh initial command failed with the same unsupported firmware error.

I'll take a stab at it now to see if I can remove the firmware check.

ther3zz commented 1 year ago

IS_UNIFI_2='false' if [ $(ubnt-device-info firmware | sed 's#..*$##g' || true) -gt 1 ] then IS_UNIFI_2='true' else echo "Unsupported firmware: ${FIRMWARE_VER}" exit 1 fi

I've commented this out from the ubios-cert.sh script and ran with the initial param and it worked!

I actually didn't even need to restart protect or unifi-core, looks like the script handled all of it.

Thanks for your help @alxwolf !