[FEAT] Support for self-signed SSL certificate

ebelmxi commented 3 months ago

Is this a new feature request?

[X] I have searched the existing issues

Wanted change

Support for self-signed SSL certificate.

Previously I used the UniFi Cloud Key and used a self-signed certificate for long time. With the UniFi Network Application in Docker I am unable to install my certificate.

Reason for change

Would like to secure all my local services with self-signed certificates.

Proposed code change

Add a new environment variable for enable self-signed certificate and a mount for provide certificates and key files.

I already tried the following steps:

transform keyfile openssl pkey -in unifi.key -traditional -out private.key
transform my certificates into PEM format
- openssl x509 -in unifi.crt -out unifi.pem -outform PEM
- openssl x509 -in ca.crt -out ca.pem -outform PEM
mount into unifi_app container
import java -jar lib/ace.jar import_key_cert private.key certificate.pem ca.pem

but this ended in NET::ERR_CERT_INVALID and can't access the web interface anymore.

github-actions[bot] commented 3 months ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

thespad commented 3 months ago

Ubiquiti have scrubbed all documentation for user-supplied certificates for the Network Application from their website, as well as removing the ability to search KB articles; as far as I can tell they no longer support doing it and have gone to lengths to stop users doing it (I assume because they're trying to nudge people into their cloud offering where they can monestise you).

In any case the app already ships with a self-signed cert, so generating your own that isn't from an internal or external CA doesn't offer any benefits.

ebelmxi commented 3 months ago

That's too bad. I don't want a cloud solution for managing my network.

In any case the app already ships with a self-signed cert, so generating your own that isn't from an internal or external CA doesn't offer any benefits.

However, I have my own CA which is trusted in all of my devices.

I would be very happy if someone could provide a workaround.

aptalca commented 3 months ago

Reverse proxy is our recommended method and SWAG is our recommended proxy

thespad commented 3 months ago

That's too bad. I don't want a cloud solution for managing my network.

In any case the app already ships with a self-signed cert, so generating your own that isn't from an internal or external CA doesn't offer any benefits.

However, I have my own CA which is trusted in all of my devices.

I would be very happy if someone could provide a workaround.

Just for clarity, if you're running your own CA it's not a self-signed certificate. A self-signed certificate is one without a chain of trust, not simply one that you have created yourself rather than obtained from a 3rd party.

ebelmxi commented 3 months ago

Reverse proxy is our recommended method and SWAG is our recommended proxy

I want to have a static IP for my UniFi Network Application, so I using a network with ipvlan driver. But you gave the impulse in the right direction. I configured a additional proxy only for the web interface. I'am using nginxproxy/nginx-proxy with a modified docker-self-signed-proxy-companion which automatic issues certificates from my own CA. And provide the following environment variables:

      VIRTUAL_HOST: $DOMAIN
      VIRTUAL_PORT: 8443
      VIRTUAL_PROTO: https
      SELF_SIGNED_HOST: $DOMAIN

Thank you all, I'am happy with that solution.

linuxserver / docker-unifi-network-application