fluffigt.com *poof* said fluff….

11Jul/190

Let’s Encrypt, Ubuntu, Certbot and the Unifi Controller

For the sake of this post, let's assume you're running a quite minimal install of Ubuntu 18.05 Bionic Beaver and have installed your Unifi Controller with the script from Glenn Rietveld.

Install certbot

Follow the official instructions. They're good. In short, it's just the following steps:

$ sudo apt install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt update
$ sudo apt install python3-certbot-nginx

Create renew-hook for the Unifi Controller

Create the script /etc/letsencrypt/renewal-hooks/deploy/import-to-unifi

#!/bin/bash

# Make sure you only have one letsencrypt cert in this server
# If you have more than one, uncomment the following line
# and adjust to your unifi controller's domain name.
#CERTBOT_DOMAIN =unifi.some.where

LE_LIVE=/etc/letsencrypt/live
UNIFI_KEYSTORE=/var/lib/unifi/keystore

if [ ${LE_LIVE}/${CERTBOT_DOMAIN}/cert.pem -nt ${UNIFI_KEYSTORE} ]; then
	WORKDIR=$(mktemp -d)
	openssl pkcs12 -export -inkey ${LE_LIVE}/${CERTBOT_DOMAIN}/privkey.pem -in ${LE_LIVE}/${CERTBOT_DOMAIN}/fullchain.pem -out ${WORKDIR}/cert.p12 -name unifi -password pass:temppass
	cp ${UNIFI_KEYSTORE} ${UNIFI_KEYSTORE}-$(date +%s)
	keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore ${UNIFI_KEYSTORE} -srckeystore ${WORKDIR}/cert.p12 -srcstoretype PKCS12 -srcstorepass temppass -alias unifi -noprompt
	systemctl restart unifi.service
	rm ${WORKDIR}/cert.p12
	rmdir ${WORKDIR}
fi

Run certbot the first time

$ certbot --nginx
# Answer the questions as needed

Verify everything worked

$ echo "" | openssl s_client -connect 127.0.0.1:8443
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = unifi.some.where
verify return:1
---
[...]

Closing notes

This is mostly written as a reminder for myself. Hopefully it’ll help someone. 

I haven’t tested how resilient this is when for example upgrading the unifi controller. Possibly one needs to touch /etc/letsencrypt/live/${CERTBOT_DOMAIN}/cert.pem and run the hook manually after the upgrade for the cert to keep the keystore fresh. I’ve seen it happen in other places using keystores.

Filed under: Linux, Sysadmin No Comments
27Dec/140

amavisd-new on Ubuntu 14.04 (trusty)

If you get anything like this in your syslog:

Dec 27 20:35:36 web2 amavis[4216]: (!!)TROUBLE in pre_loop_hook: config: no rules were found! Do you need to run 'sa-update'?
Dec 27 20:35:36 web2 amavis[4216]: (!)_DIE: Suicide () TROUBLE in pre_loop_hook: config: no rules were found! Do you need to run 'sa-update'?

Then add amavis to the clamav group and restart amavis to get it working again. Easy to see from the error log, right?

sudo adduser amavis clamav
sudo service amavis restart

26Dec/140

Civilization IV: Colonization vs Mac OS X Yosemite

In short, Colonizations has dependencies on Python 2.3 (or maybe 2.5, or both, nobody seems quite sure at the moment and both seems to be needed for all Civ IV games/mods to play nicely). Yosemite doesn't ship that old software anymore.

This fix uses third-party Python frameworks/libraries/etc - use at you own risk!

http://pcgamingwiki.com/wiki/Civilization_IV#Failed_Initializing_Python

4Jul/140

Lubuntu 14.04 and nice to haves

While installing Lubuntu 14.04 on my laptop I found out the hard way of a bug in the installer regarding encrypted hard drive. To get around it you need to boot from the CD/USB and choose to try Lubuntu, open a terminal and run

# sudo swapoff -a

and then start the install. You need to do this before starting the install, since the installer remembers certain errors between runs except with a reboot in between.

PPA:s and other repos I like to add on newly installed systems:

Additionally I like to install git, guake, vim-nox and a few other tidbits.

Filed under: Linux No Comments
30Mar/140

More on Unifi and their AP:s

A follow up on my last post about my Unifi setup. I bought a new home server recently and wanted to move the controller. I took the quickest route and backed up my settings on the old controller, installed the new one, imported the settings in the new one, migrated the AP:s to the new controller and voilá, everything worked. Below are a few of my notes of how to install the controller and migrate the AP:s.

Installing on Ubuntu 12.04 and later:

Add to /etc/apt/sources.list.d/unifi:

## Ubuntu
deb http://www.ubnt.com/downloads/unifi/distros/deb/ubuntu ubuntu ubiquiti

Add the repo key:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv C0A52C50

Install:

sudo apt-get update
sudo apt-get install unifi

Connect to https://<ip-of-unifi-controller>:8443 and go through the getting started guide.

Migrating AP:s

If you, like me, had AP:s from another controller, you need to ssh into them with the same user/password you had for their last controller and run the command:

set-inform http://<ip-of-unifi-controller>:8080/inform

Unifi stable, rapid and beta

Oh, and as a side note. It's also possible to install unifi-rapid for more/newer features on both controller and AP:s. And unifi-beta for the fearless...

6Dec/130

UniFi AP Pro and controller

I recently got myself two UniFi AP Pro's. While getting them installed, which requires a Java based controller software installed on a computer, I found a couple of problems. The foremost was that the controller didn't start. After having a look at the unifi logs (/var/log/unifi/server.log on Ubuntu 12.04) I found out that it tried to use an already allocated port (8081). I hade to change that port number both in /usr/lib/unifi/data/system.properties and /usr/lib/unifi/etc/system.properties for the changes to follow through. Sadly the server didn't understand changing the binding IP, even though changing in those two files, but rather listens on 0.0.0.0. Firewall away and debug more another day...

Filed under: Computers, Linux No Comments
28Jun/130

Unbound i Halon Security Router

Eftersom jag är som jag är så ville jag köra Unbound på min installation av Halon Security Router. Det visade sig lite småmeckigt eftersom systemet startas upp rent från alla tidigare förändringar (gillar säkerheten), men det finns stöd för att få in vissa typer av förändringar ändå. Det har jag självklart exploitat för att få till ett installationsscript som installerar Unbound vid varje uppstart.

Resultatet finns på github.

14Mar/130

Installera Oracle Java 7 i Ubuntu

http://www.webupd8.org/2012/01/install-oracle-java-jdk-7-in-ubuntu-via.html

11Mar/130

Flushing DNS Cache on Mac OS X Lion

$ sudo killall -HUP mDNSResponder
14Oct/120

Mac OS X Lion SSD tweaks

A couple of tweaks for the Mac OS X Lion users out there. Since Apple doesn't support TRIM other than on their own drives (cheap b...) and a couple of settings that make more sense when running a hdd with spinning discs, here's the tips I followed: