You can add the following in the ansible config file in “inventory/host_vars/matrix.yourdomain.com/vars.yml” to use a self signed certificate. Only recommended for testing purposes.
matrix_ssl_retrieval_method: self-signed
You can add the following in the ansible config file in “inventory/host_vars/matrix.yourdomain.com/vars.yml” to use a self signed certificate. Only recommended for testing purposes.
matrix_ssl_retrieval_method: self-signed
The certificate does not match the expected identity of the site that it was retrieved from.
The server's identity does not match the identity in the certificate
Hostname in certificate didn't match
The reason for the above errors are due to the fact that the email client is trying to use mail.mydomain.com and the email server is mail.emailserver.com.
So the email client pulls the certificate for mail.emailserver.com and reads that this certificate is for mail.emailserver.com, NOT for mail.mydomain.com. Hence the conflict and it throws an error.
If you can, accepting the certificate should let everything work. It appears that on recent versions of iOS their may be some problems trusting it. The other work around is to use the actual mail server host. So mail.emailserver.com
Open up the Certificates window by going to /System -> Certificates. Hit the + to add a new certificate
First we are going to create a Certificate Authority template
Specify the key usage to “crl sign” and “key cert. sign” and apply
Now we are going to create a server template
We need to specify “Digital signature, key encipherment, and tls server” You may need to enable/disable more depending on your use case scenario. In this case we are setting it up for OpenVPN.
First we need to sign the ca-template by opening up the the Certificate and hitting Sign on the right hand side. Should get the little Sign window pop up.
Progress will show done when it is finished signing.
Next we need to sign the server-template. When Signing the server template, specify the ca-template in the CA: field. See below
On Windows you can use the CertUtil utility to verify an iso image.
First, you’ll need the checksum of the iso. Should be on the page where you downloaded the iso. More info about that here.
Next generate the hash by running the following in a command prompt. Replace the path and ISO name with the one you downloaded
certutil -hashfile Downloads\ubuntu-19.04-live-server-amd64.iso sha256
Example output
SHA256 hash of Downloads\ubuntu-19.04-live-server-amd64.iso: 25d483341ccd0d522a6660b00db933787c86c47b42f1845bcf997127f4b61e9d CertUtil: -hashfile command completed successfully.
Compare the output with the checksum. If they are the same, you should be good to go.
The following script was taken from here
Added unifi-video support. Script uses letsencrypt to get the cert and automatically updates the UniFi and UniFi-Video Keystores.
Would be a good idea to check and make sure the the UniFi-Video cameras reconnect and still work after running script.
Install Let’s Encrypt with the following
sudo apt install letsencrypt
And generate a cert for your domain with
sudo certbot certonly -d unifi.domain.com
Copy the script at the bottom of this post and put it in a file called gen-unifi-cert.sh
Run the script to insert the cert into the UniFi and UniFi-Video services.
sudo ./gen-unifi-cert.sh -e email@domain.com -d unifi.domain.com
You can run it with no or the -h argument to show the options and arguments to use.
./gen-unifi-cert.sh -h
You should be able to add the following to a cronjob to auto renew the certificate. Replace path to script and domain name.
30 2 * * * /root/gen-unifi-cert.sh -r -d unifi.domain.com
#!/usr/bin/env bash # Added support to do UniFi and UniFi controllers at the same time using the same cert. # Original script from https://git.sosdg.org/brielle/lets-encrypt-scripts/raw/branch/master/gen-unifi-cert.sh # More info here https://www.reddit.com/r/Ubiquiti/comments/43v23u/using_letsencrypt_with_the_unifi_controller/ # And here https://www.reddit.com/r/Ubiquiti/comments/43v23u/using_letsencrypt_with_the_unifi_controller/ # Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh # Modified by: Brielle Bruns <bruns@2mbit.com> # Download URL: https://source.sosdg.org/brielle/lets-encrypt-scripts # Version: 1.7 # Last Changed: 09/26/2018 # 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements # 02/27/2016: More verbose progress report # 03/08/2016: Add renew option, reformat code, command line options # 03/24/2016: More sanity checking, embedding cert # 10/23/2017: Apparently don't need the ace.jar parts, so disable them # 02/04/2018: LE disabled tls-sni-01, so switch to just tls-sni, as certbot 0.22 and later automatically fall back to http/80 for auth # 05/29/2018: Integrate patch from Donald Webster <fryfrog[at]gmail.com> to cleanup and improve tests # 09/26/2018: Change from TLS to HTTP authenticator # Location of LetsEncrypt binary we use. Leave unset if you want to let it find automatically #LEBINARY="/usr/src/letsencrypt/certbot-auto" PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" function usage() { echo "Usage: $0 -d <domain> [-e <email>] [-r] [-i]" echo " -d <domain>: The domain name to use." echo " -e <email>: Email address to use for certificate." echo " -r: Renew domain." echo " -i: Insert only, use to force insertion of certificate." } while getopts "hird:e:" opt; do case $opt in i) onlyinsert="yes";; r) renew="yes";; d) domains+=("$OPTARG");; e) email="$OPTARG";; h) usage exit;; esac done DEFAULTLEBINARY="/usr/bin/certbot /usr/bin/letsencrypt /usr/sbin/certbot /usr/sbin/letsencrypt /usr/local/bin/certbot /usr/local/sbin/certbot /usr/local/bin/letsencrypt /usr/local/sbin/letsencrypt /usr/src/letsencrypt/certbot-auto /usr/src/letsencrypt/letsencrypt-auto /usr/src/certbot/certbot-auto /usr/src/certbot/letsencrypt-auto /usr/src/certbot-master/certbot-auto /usr/src/certbot-master/letsencrypt-auto" if [[ ! -v LEBINARY ]]; then for i in ${DEFAULTLEBINARY}; do if [[ -x ${i} ]]; then LEBINARY=${i} echo "Found LetsEncrypt/Certbot binary at ${LEBINARY}" break fi done fi # Command line options depending on New or Renew. NEWCERT="--renew-by-default certonly" RENEWCERT="-n renew" # Check for required binaries if [[ ! -x ${LEBINARY} ]]; then echo "Error: LetsEncrypt binary not found in ${LEBINARY} !" echo "You'll need to do one of the following:" echo "1) Change LEBINARY variable in this script" echo "2) Install LE manually or via your package manager and do #1" echo "3) Use the included get-letsencrypt.sh script to install it" exit 1 fi if [[ ! -x $( which keytool ) ]]; then echo "Error: Java keytool binary not found." exit 1 fi if [[ ! -x $( which openssl ) ]]; then echo "Error: OpenSSL binary not found." exit 1 fi if [[ ! -z ${email} ]]; then email="--email ${email}" else email="" fi shift $((OPTIND -1)) for val in "${domains[@]}"; do DOMAINS="${DOMAINS} -d ${val} " done MAINDOMAIN=${domains[0]} if [[ -z ${MAINDOMAIN} ]]; then echo "Error: At least one -d argument is required" usage exit 1 fi if [[ ${renew} == "yes" ]]; then LEOPTIONS="${RENEWCERT}" else LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}" fi #if [[ ${onlyinsert} != "yes" ]]; then if [[ ${onlyinsert} == "yes" ]]; then echo "Firing up standalone authenticator on TCP port 80 and requesting cert..." ${LEBINARY} --server https://acme-v01.api.letsencrypt.org/directory \ --agree-tos --standalone --preferred-challenges http ${LEOPTIONS} fi #if [[ ${onlyinsert} != "yes" ]] && md5sum -c "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5" &>/dev/null; then if [[ ${onlyinsert} == "yes" ]] && md5sum -c "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5" &>/dev/null; then echo "Cert has not changed, not updating controller." exit 0 else echo "Cert has changed or -i option was used, updating controller..." TEMPFILE=$(mktemp) CATEMPFILE=$(mktemp) # Identrust cross-signed CA cert needed by the java keystore for import. # Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html cat > "${CATEMPFILE}" <<'_EOF' -----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE----- _EOF md5sum "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" > "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5" echo "Using openssl to prepare certificate..." cat "/etc/letsencrypt/live/${MAINDOMAIN}/chain.pem" >> "${CATEMPFILE}" openssl pkcs12 -export -passout pass:aircontrolenterprise \ -in "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" \ -inkey "/etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem" \ -out "${TEMPFILE}" -name unifi \ -CAfile "${CATEMPFILE}" -caname root echo "Stopping Unifi and UniFi-Video controllers..." systemctl stop unifi unifi-video echo "Removing existing certificate from Unifi protected keystore..." keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore -deststorepass aircontrolenterprise echo "Removing existing certificate from Unifi-Video protected keystore..." keytool -delete -alias unifi -keystore /usr/lib/unifi-video/data/keystore -deststorepass ubiquiti # following lines are needed for unifi-video echo "Inserting certificate into Unifi keystore..." keytool -trustcacerts -importkeystore \ -deststorepass aircontrolenterprise \ -destkeypass aircontrolenterprise \ -destkeystore /usr/lib/unifi/data/keystore \ -srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \ -srcstorepass aircontrolenterprise \ -alias unifi echo "Inserting certificate into Unifi-Video keystore..." keytool -trustcacerts -importkeystore \ -deststorepass ubiquiti \ -destkeypass ubiquiti \ -destkeystore /usr/lib/unifi-video/data/keystore \ -srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \ -srcstorepass aircontrolenterprise \ rm -f "${TEMPFILE}" "${CATEMPFILE}" mv /usr/lib/unifi-video/data/ufv-truststore{,.old} # Delete old unifi-video keystore sleep 5 echo "Starting Unifi and UniFi-Video controllers..." systemctl start unifi unifi-video echo "Done!" fi
Had an issue with the Lets Encrypt cert for a UniFi-Video server. When renewing the cert and reimporting it into the UniFi-Video keystore, the certification was showing out of date.
Issue ended up being something with certbot.
When certbot runs it generates a new cert.pem, chain.pem, fullchain.pem and privkey.pem and puts them in the “/etc/letsencrypt/live/unifi.domain.com/” directory.
The privkey.pem and cert.pem are used to create the keys.p12 file which gets imported into the UniFi-Video keystore.
Apparently the .pem files in “/etc/letsencrypt/live/unifi.domain.com/” are symbolic links to files in “/etc/letsencrypt/archive/unifi.domain.com/”
Upon inspection of the archive directory, multiple cert.pem and privkey.pem files were found with the names cert1.pem, cert2.pem, cert3.pem etc. Looking at the creation date of the file revealed the symbolic link was referring to an old “cert1.pem” file.
Work around was to stop the unifi-video service and reimport the cert using the latest .pem files in the archive directory.
echo ubiquiti | openssl pkcs12 -export -inkey /etc/letsencrypt/archive/unifi.yourdomain.com/privkey2.pem -in /etc/letsencrypt/archive/unifi.yourdomain.com/cert2.pem -name airvision -out /usr/lib/unifi-video/data/keys.p12 -password stdin echo y | keytool -importkeystore -srckeystore /etc/letsencrypt/archive/unifi.yourdomain.com/keys.p12 -srcstoretype pkcs12 -destkeystore /usr/lib/unifi-video/data/keystore -storepass ubiquiti -srcstorepass ubiquiti
Remove the old ufv-truststore and start the service.
mv /usr/lib/unifi-video/data/ufv-truststore{,.old} systemctl start unifi-video
Worked like a charm.
Install certbot
sudo apt-get install python-certbot
Generate certificate. Change unifi.yourdomain.com to the domain name you have pointing to your UniFi-Video controller.
sudo certbot certonly -d unifi.yourdomain.com
Certbot will create the files in “/etc/letsencrypt/live/unifi.yourdomain.com/”
Now you should stop the unifi service.
systemctl stop unifi-video
The following two commands create and install the keystore for the UniFi-Video application. These commands were copied from here. Thanks scobber!
echo ubiquiti | openssl pkcs12 -export -inkey /etc/letsencrypt/live/unifi.yourdomain.com/privkey.pem -in /etc/letsencrypt/live/unifi.yourdomain.com/cert.pem -name airvision -out /usr/lib/unifi-video/data/keys.p12 -password stdin echo y | keytool -importkeystore -srckeystore /etc/letsencrypt/live/unifi.yourdomain.com/keys.p12 -srcstoretype pkcs12 -destkeystore /usr/lib/unifi-video/data/keystore -storepass ubiquiti -srcstorepass ubiquiti
Remove or rename the Trusted Store. If you don’t, the cameras will connect, but will not record. The controller will rebuild the ufv-truststore when it starts up and the cameras will be able to record.
mv /usr/lib/unifi-video/data/ufv-truststore{,.old}
Start the UniFi-Video service
systemctl start unifi-video
Now you can check it by going to https://unifi.yourdomain.com:8443
Install mod_ssl
yum install mod_ssl -y
Create Directory for SSL key.
mkdir /etc/ssl/key chmod 700 /etc/ssl/key
Create certificate.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt
Fill out the info or what is applicable.
Now edit the LibreNMS Apache config file /etc/httpd/conf.d/librenms.conf
All you have to do is add the following three lines under the VirtualHost and change *:80 to *:443.
SSLEngine on SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSL CertificateKeyFile /etc/pki/tls/private/localhost.key
So when your finished the file should look like this.
<VirtualHost *:443> DocumentRoot /opt/librenms/html/ ServerName server_hostname_or_IP SSLEngine on SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key CustomLog /opt/librenms/logs/access_log combined ErrorLog /opt/librenms/logs/error_log AllowEncodedSlashes NoDecode <Directory "/opt/librenms/html/"> Require all granted AllowOverride All Options FollowSymLinks MultiViews </Directory> </VirtualHost>
Don’t forget to allow https/port 443 traffic through the firewall. Guide here
If you have any issues, you may need to chmod the key and crt file.
chmod 644 /etc/pki/tls/certs/localhost.crt chmod 644 /etc/pki/tls/private/localhost.key
You should now be able to access LibreNMS using https. Note, you’ll need to allow an exception in your browser for your self signed certificate.
https://LibreNMS_IP_Address