Resource icon

FN11 Jailed UniFi Controller with Let's Encrypt (iocage) 2018-01-04

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,466
The fundamental issue is that Unifi, like other Java software, can't deal with PEM-encoded certificates and keys directly--they have to be converted into a different format. So there are two things that need to be done:
  1. Get the cert, and
  2. Convert/import the cert
@kjake's script handles the second, while your chosen ACME client (he uses Dehydrated; I prefer acme.sh) does the first--and typically calls the script to do the second. So, either way, you'd want his deploy script (https://github.com/kjake/freenas-iocage-unifi/blob/master/bin/deploy.sh) somewhere in the jail and executable. Edit that script, adjusting CERTS and FQDN to match your environment. Then issue the cert--to do this with acme.sh using bash as the shell and Cloudflare for your DNS, you'd do:
Code:
export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export CF_Email="xxxx@sss.com"
acme.sh --issue --dns dns_cf -d unifi.yourdomain.tld --reloadcmd /path/to/deploy.sh
 

Mara

Dabbler
Joined
Jan 14, 2017
Messages
48
Thank you danb! I have some questions:
do i need to reinstall acme.sh in this iocage?

export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export CF_Email="xxxx@sss.com"
acme.sh --issue --dns dns_cf -d unifi.yourdomain.tld --reloadcmd /path/to/deploy.sh

In which file should I insert this code? I have to create one? if yes, in .sh?

Maybe these questions seem stupid to you but I'm learning :)
thank you!
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,466
do i need to reinstall acme.sh in this iocage?
If you haven't already installed it there, you'll need to. curl https://get.acme.sh | sh.
In which file should I insert this code?
In no file; you'd run those commands at the shell prompt inside your jail. Again, that assumes that the root user in the jail is using bash (or zsh) for the shell, which probably isn't the case (run echo $SHELL inside the jail to see). If root is instead using csh, you'd replace the export commands with setenv: setenv CF_Email "xxxx@sss.com".
 

Mara

Dabbler
Joined
Jan 14, 2017
Messages
48
my result:

root@unifi:~ # echo $SHELL
/bin/csh
root@unifi:~ # export CF_Key = "............................................"
export: Command not found.
root@unifi:~ # setenv CF_Key = "............................................"
setenv: Too many arguments.
root@unifi:~ #
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,466

Mara

Dabbler
Joined
Jan 14, 2017
Messages
48
Yes danb, with setenv CF_Email is correct but setenv CF_Key I have this notification: setenv: Too many arguments
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,466
The output you quoted above has an = after the CF_Key. That = shouldn't be there. setenv CF_Key "41D246C5FB74E81896119E61D9DE16E2 ".
 

Mara

Dabbler
Joined
Jan 14, 2017
Messages
48
okay! excellent :)
So, the process seems to have gone well, I had "success" but however my https is still barred and, when I click on it for check the details I have nothing... I don't understand why, yet everything is correct and when I try to restart the certificate installation I have this:
[Wed May 22 21:37:27 CEST 2019] Domains not changed.
[Wed May 22 21:37:27 CEST 2019] Skip, Next renewal time is: Sun Jul 21 19:28:51 UTC 2019
[Wed May 22 21:37:27 CEST 2019] Add '--force' to force to renew.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,466
So you have issued the cert, but the deploy script hasn't imported it into Unifi, most likely because the cert and key aren't in the expected location. At this point, I'd delete lines 7 and 8 (the two if statements), make sure CERT points to the right directory, and make sure the paths on the openssl line go to the right place. Then just rerun the script.
 

Mara

Dabbler
Joined
Jan 14, 2017
Messages
48
Okay for instructions but now I have this error:
root@unifi:~ # acme.sh --force --issue --dns dns_cf -d unifi.allogeek.fr --reloadcmd unifi/root/dehydrated/deploy.sh
...
..
..
..
..
[Thu May 23 14:30:18 CEST 2019] Cert success.
-----BEGIN CERTIFICATE-----
...
..
..
..
..
..
-----END CERTIFICATE-----
[Thu May 23 14:30:18 CEST 2019] Your cert is in /root/.acme.sh/unifi.xxxx.fr/unifi.xxxx.fr.cer
[Thu May 23 14:30:18 CEST 2019] Your cert key is in /root/.acme.sh/unifi.xxxx.fr/unifi.xxxx.fr.key
[Thu May 23 14:30:18 CEST 2019] The intermediate CA cert is in /root/.acme.sh/unifi.xxxx.fr/ca.cer
[Thu May 23 14:30:18 CEST 2019] And the full chain certs is there: /root/.acme.sh/unifi.xxxx.fr/fullchain.cer
[Thu May 23 14:30:18 CEST 2019] Run reload cmd: unifi/root/dehydrated/deploy.sh
/root/.acme.sh/acme.sh: line 5090: unifi/root/dehydrated/deploy.sh: No such file or directory
[Thu May 23 14:30:18 CEST 2019] Reload error for :

The path is the good one, I don't understand..
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,466
The path is the good one
No, it isn't. A path will always start with a / . Edit: the path should start with a /, especially since renewals will run as an automated job in an unknown (perhaps undefined) working directory and $PATH. If you're running a command interactively (i.e., from a shell prompt), relative paths (i.e., those which don't start with a /) may work and give expected results. When it runs non-interactively, though, the results will probably be different.
 
Last edited:

Mara

Dabbler
Joined
Jan 14, 2017
Messages
48
oops... I will have to be patient I think! :rolleyes::D
root@unifi:~ # acme.sh --force --issue --dns dns_cf -d unifi.xxxx.fr --reloadcmd /etc/dehydrated/deploy.sh
[Thu May 23 17:39:42 CEST 2019] Single domain='unifi.xxxx.fr'
[Thu May 23 17:39:42 CEST 2019] Getting domain auth token for each domain
[Thu May 23 17:39:43 CEST 2019] Create new order error. Le_OrderFinalize not found. {
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "Error creating new order :: too many certificates already issued for exact set of domains: unifi.xxxx.fr: see https://letsencrypt.org/docs/rate-limits/","status": 429
}
[Thu May 23 17:39:43 CEST 2019] Please add '--debug' or '--log' to check more details.
[Thu May 23 17:39:43 CEST 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,466
You do not need to re-issue the cert in order to run the deploy script. You need to stop trying random things and think through, in an orderly fashion, what's going on. You now have five certs; you can use any one of them. Get the deploy script working. Once it successfully deploys, you can look at editing acme.sh's config files to call it the next time it issues your cert (in about two months).
 

rio236

Dabbler
Joined
Aug 19, 2016
Messages
38
While looking for another resource, I came across this project page:
freenas-iocage-other - UNIFI SCRIPT

I get an error when installing the unifi script on FreeNAS-11.3-U5:
11.3-RELEASE
, please remove it.n unifi
Failed to create jail

I would appreciate any help.
Thank you in advance.
 
Top