Let’s Encrypt, Ubuntu, Certbot and the Unifi Controller
For the sake of this post, let's assume you're running a quite minimal install of Ubuntu 18.05 Bionic Beaver and have installed your Unifi Controller with the script from Glenn Rietveld.
Install certbot
Follow the official instructions. They're good. In short, it's just the following steps:
$ sudo apt install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt update
$ sudo apt install python3-certbot-nginx
Create renew-hook for the Unifi Controller
Create the script /etc/letsencrypt/renewal-hooks/deploy/import-to-unifi
#!/bin/bash
# Make sure you only have one letsencrypt cert in this server
# If you have more than one, uncomment the following line
# and adjust to your unifi controller's domain name.
#CERTBOT_DOMAIN =unifi.some.where
LE_LIVE=/etc/letsencrypt/live
UNIFI_KEYSTORE=/var/lib/unifi/keystore
if [ ${LE_LIVE}/${CERTBOT_DOMAIN}/cert.pem -nt ${UNIFI_KEYSTORE} ]; then
WORKDIR=$(mktemp -d)
openssl pkcs12 -export -inkey ${LE_LIVE}/${CERTBOT_DOMAIN}/privkey.pem -in ${LE_LIVE}/${CERTBOT_DOMAIN}/fullchain.pem -out ${WORKDIR}/cert.p12 -name unifi -password pass:temppass
cp ${UNIFI_KEYSTORE} ${UNIFI_KEYSTORE}-$(date +%s)
keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore ${UNIFI_KEYSTORE} -srckeystore ${WORKDIR}/cert.p12 -srcstoretype PKCS12 -srcstorepass temppass -alias unifi -noprompt
systemctl restart unifi.service
rm ${WORKDIR}/cert.p12
rmdir ${WORKDIR}
fi
Run certbot the first time
$ certbot --nginx
# Answer the questions as needed
Verify everything worked
$ echo "" | openssl s_client -connect 127.0.0.1:8443
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = unifi.some.where
verify return:1
---
[...]
Closing notes
This is mostly written as a reminder for myself. Hopefully it’ll help someone.
I haven’t tested how resilient this is when for example upgrading the unifi controller. Possibly one needs to touch /etc/letsencrypt/live/${CERTBOT_DOMAIN}/cert.pem
and run the hook manually after the upgrade for the cert to keep the keystore fresh. I’ve seen it happen in other places using keystores.
amavisd-new on Ubuntu 14.04 (trusty)
If you get anything like this in your syslog:
Dec 27 20:35:36 web2 amavis[4216]: (!!)TROUBLE in pre_loop_hook: config: no rules were found! Do you need to run 'sa-update'?
Dec 27 20:35:36 web2 amavis[4216]: (!)_DIE: Suicide () TROUBLE in pre_loop_hook: config: no rules were found! Do you need to run 'sa-update'?
Then add amavis to the clamav group and restart amavis to get it working again. Easy to see from the error log, right?
sudo adduser amavis clamav
sudo service amavis restart
More on Unifi and their AP:s
A follow up on my last post about my Unifi setup. I bought a new home server recently and wanted to move the controller. I took the quickest route and backed up my settings on the old controller, installed the new one, imported the settings in the new one, migrated the AP:s to the new controller and voilá, everything worked. Below are a few of my notes of how to install the controller and migrate the AP:s.
Installing on Ubuntu 12.04 and later:
Add to /etc/apt/sources.list.d/unifi:
## Ubuntu deb http://www.ubnt.com/downloads/unifi/distros/deb/ubuntu ubuntu ubiquiti
Add the repo key:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv C0A52C50
Install:
sudo apt-get update sudo apt-get install unifi
Connect to https://<ip-of-unifi-controller>:8443 and go through the getting started guide.
Migrating AP:s
If you, like me, had AP:s from another controller, you need to ssh into them with the same user/password you had for their last controller and run the command:
set-inform http://<ip-of-unifi-controller>:8080/inform
Unifi stable, rapid and beta
Oh, and as a side note. It's also possible to install unifi-rapid for more/newer features on both controller and AP:s. And unifi-beta for the fearless...
Unbound i Halon Security Router
Eftersom jag är som jag är så ville jag köra Unbound på min installation av Halon Security Router. Det visade sig lite småmeckigt eftersom systemet startas upp rent från alla tidigare förändringar (gillar säkerheten), men det finns stöd för att få in vissa typer av förändringar ändå. Det har jag självklart exploitat för att få till ett installationsscript som installerar Unbound vid varje uppstart.
Resultatet finns på github.
Installera Oracle Java 7 i Ubuntu
http://www.webupd8.org/2012/01/install-oracle-java-jdk-7-in-ubuntu-via.html
6 Ways To Kill Your Servers – Learning How To Scale The Hard Way
Good article over at HighScalability.com about what happens when a coder, even an experienced one, has to scale out a web site under time pressure.
The most important lessons in my opinion are caching, tweaking configuration and stress testing.