acme.sh
acme.sh copied to clipboard
acmesh-official
Report bugs to unifi deploy hook
This is the place to report bugs in the unifi deploy hook.
If you experience a bug with --deploy-hook unifi, please report it in this issue. (Please include the --debug output to assist in diagnosing any problems.)
Thanks!
just curious tho this might not be related purely to the unifi deploy hook (first time using acmesh, used certbot before) but i couldn't find something on that matter: does the cronjob that comes with acme is also deploying the certs?
I wrote a brief 'how-to' gist on how to freshly install, issue and deploy a cert on a unifi controller. And the answer to my question would be nice to know.
Thanks in advance (:
@blackjack4494 yes, acme.sh saves your deploy-hook settings, and re-deploys with those same settings after a successful cron certificate renewal. (This applies to all deploy hooks, not just unifi.)
I'm just replacing an Ubuntu 16.04 VM running Unifi with a new VM running 22.04.
When trying to use the unifi hook (which worked great on 16.04), I get
[Fri 22 Jul 22:49:28 UTC 2022] Installing certificate for Unifi Controller (Java keystore)
[Fri 22 Jul 22:49:28 UTC 2022] _unifi_keystore='/usr/lib/unifi/data/keystore'
[Fri 22 Jul 22:49:28 UTC 2022] Generate import pkcs12
[Fri 22 Jul 22:49:28 UTC 2022] Import into keystore: /usr/lib/unifi/data/keystore
Importing keystore /tmp/tmp.UHja0HRWf4 to /usr/lib/unifi/data/keystore...
keytool error: java.io.IOException: keystore password was incorrect
[Fri 22 Jul 22:49:29 UTC 2022] Error importing into Unifi Java keystore.
[Fri 22 Jul 22:49:29 UTC 2022] Please re-run with --debug and report a bug.
[Fri 22 Jul 22:49:29 UTC 2022] Error deploy for domain:unifi.xxx.me.uk
[Fri 22 Jul 22:49:29 UTC 2022] Deploy error.
I can run
keytool -list -v -keystore /usr/lib/unifi/data/keystore
and see 1 existing certificate in the keystore (either providing no password or the default one in the script).
I wonder if this relates to it as it mentions Ubuntu Jammy (which is v22) but I'm unsure if I can add the -legacy parameter in the script and if, so where.
I realised the topkcs routine called in unifi.sh lives in the main acme.sh file, so I added -legacy to the first call in that (line 1427 on my system). That line now reads:
${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:$pfxPassword" -name "$pfxName" -caname "$pfxCaname" -legacy
And the import now works.
@SupersixEvo thanks for tracking this down.
@Neilpang this affects _toPkcs in the main acme.sh. When openssl is v3 or later, the unifi deploy script needs _toPkcs to invoke openssl with the -legacy parameter. What would be the best way to do that?
@medmunds add one more parameter to the _toPKcs() function, eg: usLegacy (or whatever), default is empty.
in the deploy hook, invoke it with value 1.
also, you should check if current openssl supports "-legacy" option first.
${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:$pfxPassword" -name "$pfxName" -caname "$pfxCaname" -legacy
Can confirm that this works, though my openssl does not accept -legacy directly?
I had a problem with a CloudKey G2+. The deploy script seemed to think it was a Gen1, so deployment failed.
acme.sh --deploy -d unifi.MYDOMAIN.me --deploy-hook unifi --debug
[Mon Jan 30 12:35:20 GMT 2023] Lets find script dir.
[Mon Jan 30 12:35:20 GMT 2023] _SCRIPT_='/root/.acme.sh/acme.sh'
[Mon Jan 30 12:35:20 GMT 2023] _script='/root/.acme.sh/acme.sh'
[Mon Jan 30 12:35:20 GMT 2023] _script_home='/root/.acme.sh'
[Mon Jan 30 12:35:20 GMT 2023] Using config home:/root/.acme.sh
https://github.com/acmesh-official/acme.sh
v3.0.6
[Mon Jan 30 12:35:20 GMT 2023] Running cmd: deploy
[Mon Jan 30 12:35:20 GMT 2023] Using config home:/root/.acme.sh
[Mon Jan 30 12:35:20 GMT 2023] default_acme_server
[Mon Jan 30 12:35:20 GMT 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Mon Jan 30 12:35:21 GMT 2023] DOMAIN_PATH='/root/.acme.sh/unifi.MYDOMAIN.me'
[Mon Jan 30 12:35:21 GMT 2023] _deployApi='/root/.acme.sh/deploy/unifi.sh'
[Mon Jan 30 12:35:21 GMT 2023] _cdomain='unifi.MYDOMAIN.me'
[Mon Jan 30 12:35:21 GMT 2023] _ckey='/root/.acme.sh/unifi.MYDOMAIN.me/unifi.MYDOMAIN.me.key'
[Mon Jan 30 12:35:21 GMT 2023] _ccert='/root/.acme.sh/unifi.MYDOMAIN.me/unifi.MYDOMAIN.me.cer'
[Mon Jan 30 12:35:21 GMT 2023] _cca='/root/.acme.sh/unifi.MYDOMAIN.me/ca.cer'
[Mon Jan 30 12:35:21 GMT 2023] _cfullchain='/root/.acme.sh/unifi.MYDOMAIN.me/fullchain.cer'
[Mon Jan 30 12:35:21 GMT 2023] Installing certificate for Unifi Controller (Java keystore)
[Mon Jan 30 12:35:21 GMT 2023] _unifi_keystore='/usr/lib/unifi/data/keystore'
[Mon Jan 30 12:35:21 GMT 2023] Generate import pkcs12
[Mon Jan 30 12:35:21 GMT 2023] Import into keystore: /usr/lib/unifi/data/keystore
Importing keystore /tmp/tmp.zJAEBB7Qp6 to /usr/lib/unifi/data/keystore...
Warning: Overwriting existing alias unifi in destination keystore
[Mon Jan 30 12:35:24 GMT 2023] Import keystore success!
[Mon Jan 30 12:35:24 GMT 2023] Install Unifi Controller certificate success!
[Mon Jan 30 12:35:24 GMT 2023] Installing certificate for Cloud Key Gen1 (nginx admin pages)
[Mon Jan 30 12:35:24 GMT 2023] _cloudkey_certdir='/etc/ssl/private'
[Mon Jan 30 12:35:24 GMT 2023] Unsupported Cloud Key configuration: keystore not found at '/etc/ssl/private/unifi.keystore.jks'
[Mon Jan 30 12:35:24 GMT 2023] Error deploy for domain:unifi.MYDOMAIN.me
[Mon Jan 30 12:35:24 GMT 2023] Deploy error.
The script was looking for /etc/ssl/private/cloudkey.key to identify it as a G1, and that file did exist but was > 2 years old. I wonder if it used to use nginx before it upgraded itself to use Unifi OS.
I moved the whole /etc/ssl/private directory with
mv /etc/ssl/private/ /etc/ssl/private-renamed
and then the deploy ran fine.
...
[Mon Jan 30 12:51:05 GMT 2023] Installing certificate for UnifiOS
[Mon Jan 30 12:51:05 GMT 2023] _unifi_core_config='/data/unifi-core/config'
[Mon Jan 30 12:51:05 GMT 2023] Install UnifiOS certificate success!
[Mon Jan 30 12:51:05 GMT 2023] Reload services (this may take some time): service unifi restart && systemctl restart unifi-core
[Mon Jan 30 12:52:46 GMT 2023] Reload success!
[Mon Jan 30 12:52:46 GMT 2023] Success
https://github.com/acmesh-official/acme.sh/issues/3359#issuecomment-1408696009
Just to add a +1 to robinalden's comment above. My CloudKey2 was upgraded from UnifiOS 1 --> 2.x --> 3.x and I had exactly the same issue with the deploy hook until I renamed /etc/ssl/private. Perhaps there is a better way to detect the OS version?
from unifi-utilities
case "$(ubnt-device-info firmware || true)" in 1*) # version 1 ;; 2*) # version 2 ;; 3*) # version 3 ;; *) # version not handled exit 1 ;; esac
Not strictly a deploy issue, but ECC certs borked unifi-core on my CloudKey Gen2 Plus running firmware v3.1.13. Blew away the ECC certs, reissued RSA certs, and redeployed to fix.
There should be a status check var. You're assuming we're (FreeBSD) using systemd. The same for the other systectl usage.
I found I had trouble deploying my certs on my UDR running Unifi OS (3.1.16).
It seems I'd fall foul of this line as for some reason I had a keystore file at /usr/lib/unifi/data/keystore. This resulted in the deploy script erroring with keytool not found.
root@UDR:~# acme.sh --deploy --domain unifi.mydomain.com --deploy-hook unifi
[Fri Nov 17 13:51:46 GMT 2023] Installing certificate for Unifi Controller (Java keystore)
[Fri Nov 17 13:51:46 GMT 2023] keytool not found
[Fri Nov 17 13:51:46 GMT 2023] Error deploy for domain:unifi.mydomain.com
[Fri Nov 17 13:51:46 GMT 2023] Deploy error.
From a bit of searching around it seems that the guest hotspot portal (which I have enabled) may use the keystore file to manage its certs rather than the Unifi OS standard in /data/unifi-core/config (source).
I ended up hacking the deploy hook to avoid running the _unifi_keystore block and found it to complete successfully. The caveat being I wasn't able to enable SSL for the guest hotspot portal, only the admin interface.
Trying this on a Unifi Express ... wish me luck! == will delete this comment if no issues
No keytool (line 103) on Unifi Express. Wonder what they use? Asked in the community over there, see if I get a response. https://community.ui.com/questions/Keytool-alternative-on-UniFi-Express/5154559a-b064-4f41-a183-a106b9e690dc
We need a check for keytool and if it does not exist use openssl.
Running a Unifi Dream Machine with the same poblem. I'm not sure openssl can create a Java keystore. You'll notice that the java binaries are also removed.
I got my response from Ubiquiti support yesterday, told me SSL isn't their problem.
Hacky fix is just to reinstall keytool: apt update && apt install openjdk-11-jre-headless -y puts it in place with a few other packages that seem harmless enough. YMMV with support on that, and likely need to re-run after an update. openjdk-17 is newer, but loads a lot more packages.
There's also a minor problem with the UDM running hotspot portal. I need to redeploy a few times to see what's going on, but I think the keystore shouldn't have the CA as well. Error in the log is that "2 certificates were found, only 1 expected." Manually creating the keystore fixes it.
Once the keytool problem is sorted and the certificates correctly converted to a JKS keystore, the next problem is that the default Unifi console uses weak ciphers that aren't compatible with the default RSA certificates from letsencrypt. The system configuration needs to be updated for hotspot portal (and potentially other services to work.)
I recently updated my CloudKey G2 to Firmware version: v3.2.12. The update wiped the existing certs, and I ran into other problems (which turned out to be with my DNS provider, not acme.sh) that prompted me to update acme.sh to v3.0.8.
After getting the certs issued and running this hook, I could see /data/unifi-core/config/unifi-core.key and unifi-core.crt update at first, but when the unifi service restarted, both files were replaced with self-signed RSA certs. I noticed that the certs getting wiped out were ECC, which seemed new with this version of acme.sh. After fiddling with some different options, issuing with -k 4096 got the certs to persist through a unifi restart.
We need a check for keytool and if it does not exist use openssl.
Running a Unifi Dream Machine with the same poblem. I'm not sure openssl can create a Java keystore. You'll notice that the java binaries are also removed.
I got my response from Ubiquiti support yesterday, told me SSL isn't their problem.
Hacky fix is just to reinstall keytool: apt update && apt install openjdk-11-jre-headless -y puts it in place with a few other packages that seem harmless enough. YMMV with support on that, and likely need to re-run after an update. openjdk-17 is newer, but loads a lot more packages.
There's also a minor problem with the UDM running hotspot portal. I need to redeploy a few times to see what's going on, but I think the keystore shouldn't have the CA as well. Error in the log is that "2 certificates were found, only 1 expected." Manually creating the keystore fixes it.
Openssl can create a java compatible keystore. If fact you should be using it instead of keytool these days for acme.sh. The instructions are here https://docs.oracle.com/cd/E19509-01/820-3503/ggfhb/index.html
Modern java implementations are moving away from the old proprietry keystore format to the new pkcs12 format which is the type openssl can create. Example below. The alias should be the same as the one it uses now for the current certificate and key in the keystore. You cannot use this to update a keystore, only create it. Please note a password is mandatory for it to be a java compatible keystore.
$ cat mykey.pem.txt mycertificate.pem.txt>mykeycertificate.pem.txt
$ openssl pkcs12 -export -in mykeycertificate.pem.txt -out mykeystore.pkcs12
-name myAlias -noiter -nomaciter
Openssl can create a java compatible keystore. If fact you should be using it instead of keytool these days for acme.sh. The instructions are here https://docs.oracle.com/cd/E19509-01/820-3503/ggfhb/index.html
It looks like you're correct. Every implementation of this Unifi certificate installation was converting to PKCS12 and then importing that to JKS. All the historical documents I could find from Unifi have that as the process as well. I just re-deployed, skipping the JKS import, and it handles the pkcs12 just fine.
Fantastic! Does that mean we have solved the problem? That would be a great outcome! Can you send me links to the historical documents? I am itching to use this on my UX. Happy to drop in a patched unifi deploy hook to test for here then I can write it up. You guys have a wiki or a pages site for this place?
Potentially. Tested on a UDM (not the UDM Pro), and don't have any other devices to test with.
Welcome to take a look at my updates: https://github.com/3VAbdAVE/acme.sh/blob/dev/deploy/unifi.sh
Here's where I am with it: In addition to falling back to openssl, it now backs up existing cert/key/keystores, and makes a change to system.properties to support the correct cipher suites. This backup is not smart: If you don't move those backups, they'll get overwritten on next deploy.
I also had to change the logic for service restart. If unifi is running while unifi-core restarts, it throws an error: ERROR system - Unable to read certificate from the unifi chain. There are 2 certificates, but exactly 1 is expected
This seems to break both wifiman and the hotspot portal, but I don't use wifiman. The hotspot portal now works, but you have to turn encryption off and back on after deploying a new cert for some reason. That's not a new bug though.