Closed jonathann92 closed 10 months ago
Hi, thanks for your efforts.
I'd like to have a look into this first, but won't be able to check this over the next days.
I found one hint pointing in the direction of -direct
being the certificate used by UI itself for access via unifi.ui.com
.
Still, it's not clear for me what a certificate could possibly have to do with DNS resolution ;) but if it works for you, it works for you!
OK, did a quick check and hope nothing breaks:
For me, only the -direct.key
file gets recreated, not -direct.crt
, after service restart and device reboot. But, everything (checked so far) works fine.
@jonathann92 so yes, I'm happy if you create a PR on that as this looks like something not required to work properly.
@alxwolf the direct.crt created for me after I went to the console in my browser. Try checking if the direct.crt is created after that.
Still, it's not clear for me what a certificate could possibly have to do with DNS resolution
im not sure what it has to do with either. I was thinking about submitting a request to the community but that would take a while.
Did you find similar behavior where the UDM was resolving all queries to mydomain.com
to the gateway when copying over the direct .crt and .key?
@bfayers I saw PR #41 updated the permissions of the direct.key to 644. I’m not sure how the direct.key is used but it seems to have affected evostreams and RTSP. Do you know what the direct .crt and .key are used for? Could I also ask you to test this on your UDM?
@alxwolf
I opened #57. Let's try to wait and see if bfayers
responds and is able to test before we merge. I don't want to break someone else's functionality.
@alxwolf the direct.crt created for me after I went to the console in my browser. Try checking if the direct.crt is created after that.
Still, it's not clear for me what a certificate could possibly have to do with DNS resolution
im not sure what it has to do with either. I was thinking about submitting a request to the community but that would take a while.
Did you find similar behavior where the UDM was resolving all queries to
mydomain.com
to the gateway when copying over the direct .crt and .key?@bfayers I saw PR #41 updated the permissions of the direct.key to 644. I’m not sure how the direct.key is used but it seems to have affected evostreams and RTSP. Do you know what the direct .crt and .key are used for? Could I also ask you to test this on your UDM?
I can't understand how a cert could, would or should affect DNS resolution (and it doesn't affect mine -- are you using a wildcard cert? I'm not.)
As for the permissions of the keys from my PR, I simply copied the permissions that unifi use for the default, self signed ones. without those permissions it'd break evostreams and thus the rtsp feeds out of the UDM for use by other things.
I will say I don't think not replacing unifi's default self signed keys there would cause any issues -- so long as the webui still gets the LE cert I don't mind!
I will say I don't think not replacing unifi's default self signed keys there would cause any issues -- so long as the webui still gets the LE cert I don't mind!
Agree. Merged the PR so the -direct
certs are no longer be touched. Let's see if this breaks anything (I doubt it...) - we will know latest in 60 days after next renewal...
Honestly I don’t understand why it would either. I can try playing around later with 2 different domains and use one with the regular and the second with the direct cert.
I am using a wildcard cert so I’m passing this to the .env file *.mydomain.com,mydomain.com
Issue
When I use the ubios-cert.sh script to generate and deploy a cert for
mydomain.com
, I noticed that sometime after 10 - 30 minutes that all my DNS queries will point to the default network's gateway's IP address. This is resulting in my browser going to the unifi console login. This is happening for any wildcard*.mydomain.com
as well.I set the DNS settings to Auto for my
Internet -> Primary (WAN1)
network and all my internal networks as well.What I found that resolved the issue for me
In the ubios-cert.sh file I commented out the lines that created the unifi-core-direct.crt and unifi-core-direct.key files. When the unifi-core service restarted I noticed that the
unifi-core-direct.crt
andunifi-core-direct.key
were automatically created anyways.I noticed that if I remove them and restart the unifi-core service, the
unifi-core-direct.crt
's subject is changed to<string of hex characters>.id.ui.direct
. I inspected the cert by usingopenssl x509 -noout -text -in unifi-core-direct.crt
The lines that I commented out:
Question
Is it okay if I make a PR to remove these lines? Or should I raise this issue up to the unifi community forums?
UDM Info
Model: UDM Pro UniFi OS UDM Pro: v3.0.20 Network: 7.4.156