Closed Rosco1014 closed 1 year ago
Seems like a great addition, how would you feel about opening a PR with these changes?
I clicked Pull Requests and tried to create a new one, but the button was greyed out. Not sure how to do that here...
Reading this now that I'm actually awake, aren't we already supporting this for the Guest portal via:
https://github.com/kchristensen/udm-le/blob/main/udm-le.sh#L13-L18 https://github.com/kchristensen/udm-le/blob/main/udm-le.env#L66
I believe by "Guest Portal" you mean the Captive Portal, which we added support for in this PR: https://github.com/kchristensen/udm-le/pull/8
I could be mistaken as I don't actually run a guest portal so let me know if that's the case!
I did some additional work that touches this in this PR: https://github.com/kchristensen/udm-le/pull/46, so my line numbers may not line up but I'd suggest updating your installation and setting ENABLE_CAPTIVE='yes'
in the udm-le.env
.
Even if you're not using it, you can still preview the captive portal login page by visiting this URL: https://udm-pro-URL:8843/guest/s/default/#/
It's not documented well at all on the Unifi side, but the actual captive portal SSL cert is updated/housed in a keystore. I believe there's a redirector for the portal, as well as the portal's captive portal login page.
Maybe you can make more sense of this than me, there's actually 3 SSL cert locations to cover the entire device.
UDM Pro SSL Cert locations:
UDM Pro: /mnt/data/unifi-os/unifi-core/config/unifi-core.crt /mnt/data/unifi-os/unifi-core/config/unifi-core.key
Guest Network/Redirectors: (I believe this is overwritten upon reboot/upgrade) /mnt/data/system/ssl/private/redirector/server.crt /mnt/data/system/ssl/private/redirector/server.key
Keystore: (captive portal login page https://udm-pro-URL:8843/guest/s/default/#/ ) /mnt/data/unifi-os/unifi/data/keystore
Ok, so I think the other PR I was referencing DOES do what you're after, but I'll let you verify. Basically, it runs java -jar /usr/lib/unifi/lib/ace.jar import_key_cert
which I think is doing what you're doing here with those two separate java commands.
I think it works because I have ENABLE_CAPTIVE='yes'
in my udm-le.env file and I have a valid SSL certificate at: https://udm-pro-URL:8843/guest/s/default/#/
Did you previously have ENABLE_CAPTIVE set in your env file? If not, try setting that and running a udm-le.sh initial
to force a new certificate and see if the issuance times match up?
If not I'll dig in some more but I think java -jar /usr/lib/unifi/lib/ace.jar import_key_cert
is just some kind of built in java helper nonsense to simplify the importation of the cert.
I was trying to validate this a bit more but the LE SSL cert service is ironically down lol... I'll report back later, thanks for sticking with this and all your time for this project!
@Rosco1014 Does everything work for you with ENABLE_CAPTIVE='yes'
? I've got a Let's Encrypt SSL cert installed by udm-le with ENABLE_CAPTIVE='yes'
and I see the Let's Encrypt cert at all the following locations, all surviving a power cycle reboot of the UDM (mine's the base model, not the pro).
/mnt/data/unifi-os/unifi-core/config/unifi-core.crt
and /mnt/data/unifi-os/unifi-core/config/unifi-core.key
/mnt/data/system/ssl/private/redirector/server.crt
and /mnt/data/system/ssl/private/redirector/server.key
/mnt/data/unifi-os/unifi/data/keystore
I don't see where the copies of the cert+key in /mnt/data/system/ssl/private/redirector/
are set explicitly in udm-le.sh
. Perhaps they are copied from /mnt/data/unifi-os/unifi-core/config/
on service or device restart? I've recently updated the keystore to have only the server certificate rather than the full chain bundle that includes the LE CA certs, and this has not resulted in the cert at /mnt/data/system/ssl/private/redirector/
changing, so it doesn't seem to be copied from the keystore (though I've only restarted the unifi services, not the device itself).
Closing this out -- the latest release does have captive portal support. Please test that out and open a new issue if there are issues.
This still does not seem to work or maybe I am doing something wrong.
I did set the ENABLE_CAPTIVE to "yes"
Then I did run the udm-le.sh initial
And afterwards also udm-le.sh update_keystore
And the certificate on the "https://domain.com:8843/guest/s/default/#/" is still not changed.
Update: it looks like a reboot was necessary.
I imagine there’s some service that needs to get bounced in order for it to take effect, what that is however I am unsure.
@KarlBaumann @kchristensen I was in the same boat, where the cert did not change. systemctl restart unifi
caused it to reload correctly. (I'm not sure if there's a better way than bouncing the whole Network service)
@KarlBaumann @kchristensen I was in the same boat, where the cert did not change.
systemctl restart unifi
caused it to reload correctly. (I'm not sure if there's a better way than bouncing the whole Network service)
Have you solved?
This process works great for updating the SSL cert served when accessing the UDM pro admin interface, however, it does not update the Guest Portal. This cert is stored as a keystore and you need to run two additional commands to first create the pkcs12 and then use that to import via keytool.
The new deploy_cert() function looks like: