Closed atais closed 9 months ago
Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.
Just point your proxy to Https and port 8443. Nginx should just ignore the invalid cert.
Yes but I want to have a valid certificate
I tried using that guide: https://lg.io/2015/12/13/using-lets-encrypt-to-secure-cloud-hosted-services-like-ubiquitis-mfi-unifi-and-unifi-video.html
But I think the password to keystore has changed:
keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore /config/certificates/myweb.com.p12 -srcstoretype PKCS12 -alias unifi
Enter source keystore password:
keytool error: java.io.IOException: keystore password was incorrect
If you're putting it behind a reverse proxy, you'll have a valid cert as providing everything is going through the reverse proxy, the internal cert will be ignored.
Yes, probably that was my missconception
My Nginx working config is:
server {
listen 443 ssl default_server;
server_name unifi.mydomain.com;
include /opt/NGinX/etc/nginx/ssl.conf;
location / {
proxy_pass https://unifi_ip:8443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Proxy "";
proxy_set_header Host $http_host;
}
}
and the ssl conf is a copy from https://github.com/linuxserver/docker-swag/blob/b309e1ce45d06556af8b19ee53cafa9cbf192248/root/defaults/ssl.conf
with my certificates obviously.
I tried working with https://github.com/stevejenkins/unifi-linux-utils/blob/master/unifi_ssl_import.sh at first, but I think it was a dead-end
Is this a new feature request?
Wanted change
How does one configure SSL with the dockerized image?
My usual approach was to setup an Nginx proxy with SSL configured in front of the unprotected endpoint. Something like:
But here, I noticed it redirects to 8443 on the very first request. And I cannot perform SSL handshake, because Tomcat is using it's own certificates (self-signed?)
What should be the approach here?
Reason for change
Annoying red ssl warning :)
Proposed code change
No response