Comments (5)
True to form, I started tinkering with it before waiting.
Here's what I found:
- This comment suggested that
unifi-os restart
was insufficient to deploy the RADIUS cert. I found the same result. It appears a different command or full reboot is needed. - My iOS device required me to trust the untrusted Let's Encrypt certificate.
- My Mac also required me to trust the untrusted Let's Encrypt certificate AND indicated that the root and intermediate R3 Certificates had expired.
- If I use the
${ACMESH_ROOT}/${ACME_CERT_NAME}/fullchain.cer
instead of the${ACMESH_ROOT}/${ACME_CERT_NAME}/${ACME_CERT_NAME}.cer
for my/mnt/data/udapi-config/raddb/certs/server.pem
my Mac doesn't complain about the R3 Certificate being expired.
I would like for
- iOS device to trust the certificate by default, but I don't think that's possible without deploying some sort of MDM profile where I configure my device to trust this cert.
- the renewal script to trigger a restart of whatever service handles the deployment of the radius cert. I have maxed out my Let's Encrypt renewals via testing, but I wonder if
radiusd restart
orpodman restart unifi-os
might do the job?
from ubios-cert.
Thank you for spending your time on debugging this. Not having any documentation by Ubiquiti does not help...
Layman speaking here, doing his best to get it properly working... it seems the certificate chain is flawed and needs to be fixed. It should be
Root Certificate <-- CA certificate <-- server certificate where "<--" means "is trusted by...".
/mnt/data/udapi-config/raddb/certs/server.pem
is the server certificate (for my device udmpro.domain.tld) and /mnt/data/udapi-config/raddb/certs/ca.pem
will be the "intermediate certification authority" / CA certificate which needs trust by the Root Certificate. That seems broken right now, so we have to manually trust the server certificate (what we do not want).
fullchain.cer does contain all three certificates, but actually here you may have hit a trap as on my system the root from full chain.cer shows as "expired" as well: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ (well, why make life easy). Maybe you "fixed" that by setting the trust level to "trusted" during your debugging efforts.
When I link to the unifi-os
container and look into /etc/ca-certificates.conf
, it seem that mozilla/ISRG_Root_X1.crt
gets preinstalled as a trusted root certificate. So that should be fine.
The created "ca.cer" ("R3") cert
links to http://x1.letsencr.org where a proper, current, working root certificate is stored.
so we should be OK by putting the intermediate cert in the right place and getting the RADIUS server to reload.
I will have a look at that over the next days.
from ubios-cert.
That's really interesting. By the way, I am in no rush to resolve this; this is just a fun sidequest for me.
I did not trust the expired R3 DST certificates on my Mac (it would not have helped anyway because it was expired).
However, when I inspected my ${ACMESH_ROOT}/${ACME_CERT_NAME}/fullchain.cer
on https://tools.keycdn.com/ssl it appears to be linked to the expired DST certificate in the link you referenced:
Intermediate certificate required. Unable to get issuer certificate.
- Subject CN: unifi.domain.tld > Issuer CN: R3
- Subject CN: R3 > Issuer CN: ISRG Root X1
- Subject CN: ISRG Root X1 > Issuer CN: DST Root CA X3
The only R3 certificate I have on my Mac is the one that expires: Monday, September 15, 2025, so I'm not sure how using fullchain.cer
as my /mnt/data/udapi-config/raddb/certs/server.pem
caused my Mac to present the correct root CA instead of the expired one.
Here's Apple's official explanation why iOS devices will not automatically trust RADIUS certificates without deploying some sort of MDM profile (emphasis mine):
During the 802.1X negotiation, the RADIUS server presents its certificate to the device supplicant automatically. The RADIUS server certificate must be trusted by the supplicant by either anchoring trust to a particular certificate or to a list of expected hostnames matching the certificate’s host. Even when a certificate is issued by a known CA and listed in the trusted root store on the device, it must also be trusted for a particular purpose. In this case the server’s certificate must be trusted for the RADIUS service. This is done either manually, when joining an enterprise network as the user is prompted to trust the certificate for the connected Wi-Fi network, or in a configuration profile.
from ubios-cert.
So we may be good as we have to "sign off" manually anyhow?? Also got this weird issue that freshly issued certificates carry the non-trusted issuer certificate (in fullchain.cer).
I may have found the trigger file to restart the RADIUS daemon: /usr/sbin/rc.radiusd restart
need to investigate further.
Update: another thread to poke around... but this is for the USG and UDM-P differs a lot.
from ubios-cert.
Closing this issue and have established a new issue #14 with a separate branch to deal with it.
from ubios-cert.
Related Issues (20)
- How to update acme.sh HOT 3
- DEFAULT_CA settings may need to be specified before renewals HOT 3
- Pull latest image before run HOT 1
- Problem deploying on UDM SE HOT 10
- ./ubios-cert.sh: line 140: /etc/init.d/cron: not found - Error on UDM (UniFi OS Version 1.12.30) HOT 1
- Cron job now requires the user to be specified HOT 3
- UDM pro upgraded to 2.x uses /data not /mnt/data HOT 3
- /mnt/data still hardcoded in ubios-cert.sh and 99-ubios-cert.sh HOT 2
- Script issues - support for UDMPro v2.4.23 HOT 2
- Issue with wildcard domains HOT 1
- Intermediate Chain Certificate for Guest Portal HOT 12
- Cloudflare not registrering - api not applied correctly HOT 1
- Add OVH as a DNS provider HOT 2
- No such file or directory when running cd ${DATA_DIR}/ubios-cert HOT 7
- Captive Portal HOT 3
- Can't open /data/unifi-core/config/unifi-core.crt for reading, No such file or directory HOT 2
- Curl Error HOT 2
- Email Notification HOT 2
- UNVR Support HOT 6
- Copying `unifi-core-direct.crt` and `unifi-core-direct.key` is causing DNS for my domain to resolve to UDM console login HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ubios-cert.