Hi, Am Montag, 23. November 2020, 18:30:06 CET schrieb James Knott:
On 2020-11-21 4:51 a.m., Herbert Graeber wrote:
Hi,
Am Samstag, 21. November 2020, 03:04:13 CET schrieb James Knott:
On 2020-11-20 5:45 p.m., Herbert Graeber wrote:
You need a certificate and key and add them in /etc/sysconfig/unifi.
Where would I find those?
You shall generate your own.
How do I do that?
Whatever you like. You can use pure openssl or one of the many tools built on top of it. I prefer easyrsa. Even letsencrypt will do, but thats designed for public websites and you do not want to make you unifi controller public.>
I will modify my package so that it's possible to leave certificate of Ubiquiity active. That will give you a security warning and you have to confirm that the browser shall ignore that.
Herbert _______________________________________________ openSUSE Users mailing list -- users@lists.opensuse.org To unsubscribe, email users-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/users@lists.opensuse.org
Can you provide a bit more info on what files go where?
Some time ago Yast had ist own PKI and pust its certificates and keys in /etc/ssl/servercerts. The CA certifiacte was stored in /etc/pki/trust/anchors/ YaST.pem. That's is the reason I choose the default mentioned in /etc/ sysconfig/unifi. But meanwhile the PKI in Yast has gone. You do net have to use these paths you con set the variables in /etc/sysconfig/ unifi and store the certificates and the key wherever you want.
For example, I have found /etc/sysconfig/unifi, where I find:
## Path: Network/Unifi ## Description: Unifi controller settings ## Type: string ## Default: "/etc/ssl/servercerts/serverkey.pem" # # Key for TLS encryption UNIFI_TLS_KEY=""
## Type: string ## Default: "/etc/ssl/servercert/servercert.pem"
Here a "s" is missing. But only in the comment, not in the import-cert script, which implements the defaults.
# # Certificate for TLS encryption UNIFI_TLS_CERT=""
## Type: string ## Default: "/etc/pki/trust/anchors/YaST.pem" # # CA Certificate for TLS encryption UNIFI_TLS_CA_CERT=""
Using openssl, I created the files in servercert and servercerts, but when I try running the controller, I get an error:
* unifi.service - unifi
Loaded: loaded (/usr/lib/systemd/system/unifi.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Mon 2020-11-23 12:21:19 EST; 6min ago
Process: 24600 ExecStart=/usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre/bin/java -Xmx1024M -jar /usr/lib/unifi/lib/ace.jar start (code=exited, status=203/EXEC)
Process: 24469 ExecStartPre=/usr/lib/unifi/bin/import-cert (code=exited, status=0/SUCCESS)
Main PID: 24600 (code=exited, status=203/EXEC)
Nov 23 12:21:17 linux import-cert[24469]: 140674435469760:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
Nov 23 12:21:17 linux import-cert[24469]: unable to load private key
Looks like /etc/ssl/servercerts/serverkey.pem doesn't exist tor isn't a key in PEM format.
Nov 23 12:21:19 linux import-cert[24469]: Importing keystore /var/tmp/unifi.p12 to /usr/lib/unifi/data/keystore...
Followup error: Unifi expects certificate and key in p12 format, which cannot be generate without the private key .
Nov 23 12:21:19 linux import-cert[24469]: keytool error: java.io.FileNotFoundException: /var/tmp/unifi.p12 (No such file or directory)
Followup error: The p12-File cannot be loaded.
Nov 23 12:21:19 linux systemd[1]: Started unifi.
Nov 23 12:21:19 linux systemd[24600]: unifi.service: Failed to execute command: No such file or directory
Nov 23 12:21:19 linux systemd[24600]: unifi.service: Failed at step EXEC spawning /usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre/bin/java: No such file or directory
Nov 23 12:21:19 linux systemd[1]: unifi.service: Main process exited, code=exited, status=203/EXEC
Nov 23 12:21:19 linux systemd[1]: unifi.service: Unit entered failed state.
Nov 23 12:21:19 linux systemd[1]: unifi.service: Failed with result 'exit-code'. It's difficult to figure out what's necessary, when working with something you're not familiar with. tnx jk
Herbert