Let’s Encrypt, Ubuntu, Certbot and the Unifi Controller
For the sake of this post, let's assume you're running a quite minimal install of Ubuntu 18.05 Bionic Beaver and have installed your Unifi Controller with the script from Glenn Rietveld.
Install certbot
Follow the official instructions. They're good. In short, it's just the following steps:
$ sudo apt install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt update
$ sudo apt install python3-certbot-nginx
Create renew-hook for the Unifi Controller
Create the script /etc/letsencrypt/renewal-hooks/deploy/import-to-unifi
#!/bin/bash
# Make sure you only have one letsencrypt cert in this server
# If you have more than one, uncomment the following line
# and adjust to your unifi controller's domain name.
#CERTBOT_DOMAIN =unifi.some.where
LE_LIVE=/etc/letsencrypt/live
UNIFI_KEYSTORE=/var/lib/unifi/keystore
if [ ${LE_LIVE}/${CERTBOT_DOMAIN}/cert.pem -nt ${UNIFI_KEYSTORE} ]; then
WORKDIR=$(mktemp -d)
openssl pkcs12 -export -inkey ${LE_LIVE}/${CERTBOT_DOMAIN}/privkey.pem -in ${LE_LIVE}/${CERTBOT_DOMAIN}/fullchain.pem -out ${WORKDIR}/cert.p12 -name unifi -password pass:temppass
cp ${UNIFI_KEYSTORE} ${UNIFI_KEYSTORE}-$(date +%s)
keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore ${UNIFI_KEYSTORE} -srckeystore ${WORKDIR}/cert.p12 -srcstoretype PKCS12 -srcstorepass temppass -alias unifi -noprompt
systemctl restart unifi.service
rm ${WORKDIR}/cert.p12
rmdir ${WORKDIR}
fi
Run certbot the first time
$ certbot --nginx
# Answer the questions as needed
Verify everything worked
$ echo "" | openssl s_client -connect 127.0.0.1:8443
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = unifi.some.where
verify return:1
---
[...]
Closing notes
This is mostly written as a reminder for myself. Hopefully it’ll help someone.
I haven’t tested how resilient this is when for example upgrading the unifi controller. Possibly one needs to touch /etc/letsencrypt/live/${CERTBOT_DOMAIN}/cert.pem
and run the hook manually after the upgrade for the cert to keep the keystore fresh. I’ve seen it happen in other places using keystores.
amavisd-new on Ubuntu 14.04 (trusty)
If you get anything like this in your syslog:
Dec 27 20:35:36 web2 amavis[4216]: (!!)TROUBLE in pre_loop_hook: config: no rules were found! Do you need to run 'sa-update'?
Dec 27 20:35:36 web2 amavis[4216]: (!)_DIE: Suicide () TROUBLE in pre_loop_hook: config: no rules were found! Do you need to run 'sa-update'?
Then add amavis to the clamav group and restart amavis to get it working again. Easy to see from the error log, right?
sudo adduser amavis clamav
sudo service amavis restart
Civilization IV: Colonization vs Mac OS X Yosemite
In short, Colonizations has dependencies on Python 2.3 (or maybe 2.5, or both, nobody seems quite sure at the moment and both seems to be needed for all Civ IV games/mods to play nicely). Yosemite doesn't ship that old software anymore.
This fix uses third-party Python frameworks/libraries/etc - use at you own risk!
http://pcgamingwiki.com/wiki/Civilization_IV#Failed_Initializing_Python
Lubuntu 14.04 and nice to haves
While installing Lubuntu 14.04 on my laptop I found out the hard way of a bug in the installer regarding encrypted hard drive. To get around it you need to boot from the CD/USB and choose to try Lubuntu, open a terminal and run
# sudo swapoff -a
and then start the install. You need to do this before starting the install, since the installer remembers certain errors between runs except with a reboot in between.
PPA:s and other repos I like to add on newly installed systems:
Additionally I like to install git, guake, vim-nox and a few other tidbits.
More on Unifi and their AP:s
A follow up on my last post about my Unifi setup. I bought a new home server recently and wanted to move the controller. I took the quickest route and backed up my settings on the old controller, installed the new one, imported the settings in the new one, migrated the AP:s to the new controller and voilá, everything worked. Below are a few of my notes of how to install the controller and migrate the AP:s.
Installing on Ubuntu 12.04 and later:
Add to /etc/apt/sources.list.d/unifi:
## Ubuntu deb http://www.ubnt.com/downloads/unifi/distros/deb/ubuntu ubuntu ubiquiti
Add the repo key:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv C0A52C50
Install:
sudo apt-get update sudo apt-get install unifi
Connect to https://<ip-of-unifi-controller>:8443 and go through the getting started guide.
Migrating AP:s
If you, like me, had AP:s from another controller, you need to ssh into them with the same user/password you had for their last controller and run the command:
set-inform http://<ip-of-unifi-controller>:8080/inform
Unifi stable, rapid and beta
Oh, and as a side note. It's also possible to install unifi-rapid for more/newer features on both controller and AP:s. And unifi-beta for the fearless...
UniFi AP Pro and controller
I recently got myself two UniFi AP Pro's. While getting them installed, which requires a Java based controller software installed on a computer, I found a couple of problems. The foremost was that the controller didn't start. After having a look at the unifi logs (/var/log/unifi/server.log on Ubuntu 12.04) I found out that it tried to use an already allocated port (8081). I hade to change that port number both in /usr/lib/unifi/data/system.properties and /usr/lib/unifi/etc/system.properties for the changes to follow through. Sadly the server didn't understand changing the binding IP, even though changing in those two files, but rather listens on 0.0.0.0. Firewall away and debug more another day...
Unbound i Halon Security Router
Eftersom jag är som jag är så ville jag köra Unbound på min installation av Halon Security Router. Det visade sig lite småmeckigt eftersom systemet startas upp rent från alla tidigare förändringar (gillar säkerheten), men det finns stöd för att få in vissa typer av förändringar ändå. Det har jag självklart exploitat för att få till ett installationsscript som installerar Unbound vid varje uppstart.
Resultatet finns på github.
Installera Oracle Java 7 i Ubuntu
http://www.webupd8.org/2012/01/install-oracle-java-jdk-7-in-ubuntu-via.html
Mac OS X Lion SSD tweaks
A couple of tweaks for the Mac OS X Lion users out there. Since Apple doesn't support TRIM other than on their own drives (cheap b...) and a couple of settings that make more sense when running a hdd with spinning discs, here's the tips I followed: