[FEATURE] Update Guest Portal Certificate Keystore - updated code below works

[Rosco1014]

This process works great for updating the SSL cert served when accessing the UDM pro admin interface, however, it does not update the Guest Portal. This cert is stored as a keystore and you need to run two additional commands to first create the pkcs12 and then use that to import via keytool.

cp podman exec unifi-os openssl pkcs12 -export -in ${UBIOS_CERT_PATH}/unifi-core.crt -inkey ${UBIOS_CERT_PATH}/unifi-core.key -out ${UBIOS_CERT_PATH}/unifi.p12 -name unifi -caname root -passin pass:aircontrolenterprise -passout pass:aircontrolenterprise cp podman exec unifi-os keytool -noprompt -importkeystore -srckeystore ${UBIOS_CERT_PATH}/unifi.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -storepass aircontrolenterprise

The new deploy_cert() function looks like:

deploy_cert() {

Re-write CERTNAME if it is a wildcard cert. Replace * with

LEGO_CERT_NAME=${CERTNAME/*/} if [ "$(find -L "${UDM_LE_PATH}"/lego -type f -name "${LEGO_CERT_NAME}".crt -mmin -5)" ]; then echo 'New certificate was generated, time to deploy it'

Controller certificate

cp -f ${UDM_LE_PATH}/lego/certificates/${LEGO_CERT_NAME}.crt ${UBIOS_CERT_PATH}/unifi-core.crt cp -f ${UDM_LE_PATH}/lego/certificates/${LEGO_CERT_NAME}.key ${UBIOS_CERT_PATH}/unifi-core.key chmod 644 ${UBIOS_CERT_PATH}/unifi-core.* cp podman exec unifi-os openssl pkcs12 -export -in ${UBIOS_CERT_PATH}/unifi-core.crt -inkey ${UBIOS_CERT_PATH}/unifi-core.key -out ${UBIOS_CERT_PATH}/unifi.p12 -name unifi -caname root -passin pass:aircontrolenterprise -passout pass:aircontrolenterprise cp podman exec unifi-os keytool -noprompt -importkeystore -srckeystore ${UBIOS_CERT_PATH}/unifi.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -storepass aircontrolenterprise NEW_CERT="yes" else echo 'No new certificate was found, exiting without restart' fi }

[kchristensen]

Seems like a great addition, how would you feel about opening a PR with these changes?

[Rosco1014]

I clicked Pull Requests and tried to create a new one, but the button was greyed out. Not sure how to do that here...

[kchristensen]

Reading this now that I'm actually awake, aren't we already supporting this for the Guest portal via:

https://github.com/kchristensen/udm-le/blob/main/udm-le.sh#L13-L18 https://github.com/kchristensen/udm-le/blob/main/udm-le.env#L66

I believe by "Guest Portal" you mean the Captive Portal, which we added support for in this PR: https://github.com/kchristensen/udm-le/pull/8

I could be mistaken as I don't actually run a guest portal so let me know if that's the case!

[kchristensen]

I did some additional work that touches this in this PR: https://github.com/kchristensen/udm-le/pull/46, so my line numbers may not line up but I'd suggest updating your installation and setting ENABLE_CAPTIVE='yes' in the udm-le.env.

[Rosco1014]

Even if you're not using it, you can still preview the captive portal login page by visiting this URL: https://udm-pro-URL:8843/guest/s/default/#/

It's not documented well at all on the Unifi side, but the actual captive portal SSL cert is updated/housed in a keystore. I believe there's a redirector for the portal, as well as the portal's captive portal login page.

Maybe you can make more sense of this than me, there's actually 3 SSL cert locations to cover the entire device.

UDM Pro SSL Cert locations:

UDM Pro: /mnt/data/unifi-os/unifi-core/config/unifi-core.crt /mnt/data/unifi-os/unifi-core/config/unifi-core.key

Guest Network/Redirectors: (I believe this is overwritten upon reboot/upgrade) /mnt/data/system/ssl/private/redirector/server.crt /mnt/data/system/ssl/private/redirector/server.key

Keystore: (captive portal login page https://udm-pro-URL:8843/guest/s/default/#/ ) /mnt/data/unifi-os/unifi/data/keystore

[kchristensen]

Ok, so I think the other PR I was referencing DOES do what you're after, but I'll let you verify. Basically, it runs java -jar /usr/lib/unifi/lib/ace.jar import_key_cert which I think is doing what you're doing here with those two separate java commands.

I think it works because I have ENABLE_CAPTIVE='yes' in my udm-le.env file and I have a valid SSL certificate at: https://udm-pro-URL:8843/guest/s/default/#/

Did you previously have ENABLE_CAPTIVE set in your env file? If not, try setting that and running a udm-le.sh initial to force a new certificate and see if the issuance times match up?

If not I'll dig in some more but I think java -jar /usr/lib/unifi/lib/ace.jar import_key_cert is just some kind of built in java helper nonsense to simplify the importation of the cert.

[Rosco1014]

I was trying to validate this a bit more but the LE SSL cert service is ironically down lol... I'll report back later, thanks for sticking with this and all your time for this project!

[martintoreilly]

@Rosco1014 Does everything work for you with ENABLE_CAPTIVE='yes'? I've got a Let's Encrypt SSL cert installed by udm-le with ENABLE_CAPTIVE='yes' and I see the Let's Encrypt cert at all the following locations, all surviving a power cycle reboot of the UDM (mine's the base model, not the pro).

• /mnt/data/unifi-os/unifi-core/config/unifi-core.crt and /mnt/data/unifi-os/unifi-core/config/unifi-core.key
• /mnt/data/system/ssl/private/redirector/server.crt and /mnt/data/system/ssl/private/redirector/server.key
• /mnt/data/unifi-os/unifi/data/keystore

I don't see where the copies of the cert+key in /mnt/data/system/ssl/private/redirector/ are set explicitly in udm-le.sh. Perhaps they are copied from /mnt/data/unifi-os/unifi-core/config/ on service or device restart? I've recently updated the keystore to have only the server certificate rather than the full chain bundle that includes the LE CA certs, and this has not resulted in the cert at /mnt/data/system/ssl/private/redirector/ changing, so it doesn't seem to be copied from the keystore (though I've only restarted the unifi services, not the device itself).

[kchristensen]

Closing this out -- the latest release does have captive portal support. Please test that out and open a new issue if there are issues.

[KarlBaumann]

This still does not seem to work or maybe I am doing something wrong. I did set the ENABLE_CAPTIVE to "yes" Then I did run the udm-le.sh initial And afterwards also udm-le.sh update_keystore

And the certificate on the "https://domain.com:8843/guest/s/default/#/" is still not changed.

[KarlBaumann]

Update: it looks like a reboot was necessary.

[kchristensen]

I imagine there’s some service that needs to get bounced in order for it to take effect, what that is however I am unsure.

[joshrivers]

@KarlBaumann @kchristensen I was in the same boat, where the cert did not change. systemctl restart unifi caused it to reload correctly. (I'm not sure if there's a better way than bouncing the whole Network service)

[ermanno00]

@KarlBaumann @kchristensen I was in the same boat, where the cert did not change. systemctl restart unifi caused it to reload correctly. (I'm not sure if there's a better way than bouncing the whole Network service)

Have you solved?