fluffigt.com *poof* said fluff….

11Jul/190

Let’s Encrypt, Ubuntu, Certbot and the Unifi Controller

For the sake of this post, let's assume you're running a quite minimal install of Ubuntu 18.05 Bionic Beaver and have installed your Unifi Controller with the script from Glenn Rietveld.

Install certbot

Follow the official instructions. They're good. In short, it's just the following steps:

$ sudo apt install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt update
$ sudo apt install python3-certbot-nginx

Create renew-hook for the Unifi Controller

Create the script /etc/letsencrypt/renewal-hooks/deploy/import-to-unifi

#!/bin/bash

# Make sure you only have one letsencrypt cert in this server
# If you have more than one, uncomment the following line
# and adjust to your unifi controller's domain name.
#CERTBOT_DOMAIN =unifi.some.where

LE_LIVE=/etc/letsencrypt/live
UNIFI_KEYSTORE=/var/lib/unifi/keystore

if [ ${LE_LIVE}/${CERTBOT_DOMAIN}/cert.pem -nt ${UNIFI_KEYSTORE} ]; then
	WORKDIR=$(mktemp -d)
	openssl pkcs12 -export -inkey ${LE_LIVE}/${CERTBOT_DOMAIN}/privkey.pem -in ${LE_LIVE}/${CERTBOT_DOMAIN}/fullchain.pem -out ${WORKDIR}/cert.p12 -name unifi -password pass:temppass
	cp ${UNIFI_KEYSTORE} ${UNIFI_KEYSTORE}-$(date +%s)
	keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore ${UNIFI_KEYSTORE} -srckeystore ${WORKDIR}/cert.p12 -srcstoretype PKCS12 -srcstorepass temppass -alias unifi -noprompt
	systemctl restart unifi.service
	rm ${WORKDIR}/cert.p12
	rmdir ${WORKDIR}
fi

Run certbot the first time

$ certbot --nginx
# Answer the questions as needed

Verify everything worked

$ echo "" | openssl s_client -connect 127.0.0.1:8443
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = unifi.some.where
verify return:1
---
[...]

Closing notes

This is mostly written as a reminder for myself. Hopefully it’ll help someone. 

I haven’t tested how resilient this is when for example upgrading the unifi controller. Possibly one needs to touch /etc/letsencrypt/live/${CERTBOT_DOMAIN}/cert.pem and run the hook manually after the upgrade for the cert to keep the keystore fresh. I’ve seen it happen in other places using keystores.

Filed under: Linux, Sysadmin No Comments
27Dec/140

amavisd-new on Ubuntu 14.04 (trusty)

If you get anything like this in your syslog:

Dec 27 20:35:36 web2 amavis[4216]: (!!)TROUBLE in pre_loop_hook: config: no rules were found! Do you need to run 'sa-update'?
Dec 27 20:35:36 web2 amavis[4216]: (!)_DIE: Suicide () TROUBLE in pre_loop_hook: config: no rules were found! Do you need to run 'sa-update'?

Then add amavis to the clamav group and restart amavis to get it working again. Easy to see from the error log, right?

sudo adduser amavis clamav
sudo service amavis restart

30Mar/140

More on Unifi and their AP:s

A follow up on my last post about my Unifi setup. I bought a new home server recently and wanted to move the controller. I took the quickest route and backed up my settings on the old controller, installed the new one, imported the settings in the new one, migrated the AP:s to the new controller and voilá, everything worked. Below are a few of my notes of how to install the controller and migrate the AP:s.

Installing on Ubuntu 12.04 and later:

Add to /etc/apt/sources.list.d/unifi:

## Ubuntu
deb http://www.ubnt.com/downloads/unifi/distros/deb/ubuntu ubuntu ubiquiti

Add the repo key:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv C0A52C50

Install:

sudo apt-get update
sudo apt-get install unifi

Connect to https://<ip-of-unifi-controller>:8443 and go through the getting started guide.

Migrating AP:s

If you, like me, had AP:s from another controller, you need to ssh into them with the same user/password you had for their last controller and run the command:

set-inform http://<ip-of-unifi-controller>:8080/inform

Unifi stable, rapid and beta

Oh, and as a side note. It's also possible to install unifi-rapid for more/newer features on both controller and AP:s. And unifi-beta for the fearless...

28Jun/130

Unbound i Halon Security Router

Eftersom jag är som jag är så ville jag köra Unbound på min installation av Halon Security Router. Det visade sig lite småmeckigt eftersom systemet startas upp rent från alla tidigare förändringar (gillar säkerheten), men det finns stöd för att få in vissa typer av förändringar ändå. Det har jag självklart exploitat för att få till ett installationsscript som installerar Unbound vid varje uppstart.

Resultatet finns på github.

14Mar/130

Installera Oracle Java 7 i Ubuntu

http://www.webupd8.org/2012/01/install-oracle-java-jdk-7-in-ubuntu-via.html

16Sep/100

6 Ways To Kill Your Servers – Learning How To Scale The Hard Way

Good article over at HighScalability.com about what happens when a coder, even an experienced one, has to scale out a web site under time pressure.

The most important lessons in my opinion are caching, tweaking configuration and stress testing.