FN11 Jailed UniFi Controller with Let's Encrypt (iocage) 2018-01-04

[diskdiddler]

If the package isn't available yet, it isn't available. Be patient.

Sorry, I'm confused though, it's literally listed on the site, doesn't that mean it's available? I don't get how the ports thing works?

 

[Jailer]

The port is listed as updated. The package is built from the port and may not be ready yet. First comes port, then comes package.

 

[diskdiddler]

What article(s) do I need to read, to comprehend this properly.

Is the process some kind of automated get script which grabs updated ports, pkgs them, once a day or ?

 

[Jailer]

What article(s) do I need to read, to comprehend this properly.

https://www.freebsd.org/doc/en/books/porters-handbook/makefile-maintainer.html

 

[PcInfamy]

2. (OPT) Put the files within the repo's bin directory into the unifi/dehydrated directory before you run the main jail script.

Where is the unifi/dehydrated directory mentioned here? Is it the /mnt/DIRECTORY_NAME/iocage/jails/unifi directory? My issue is if I copy the bin files here before the jail is created, I get an error stating:

Code:

unifi is missing it's configuration, please destroy this jail and recreate it.

Any ideas?

Edit: I am running FreeNAS-11.2-RELEASE-U1 if that is helpful.

 

[Mara]

Hi community :)

Do you think that Let's Encrypt has still an interest knowing that it is possible to access the Unifi Cloud solution?

 

[danb35]

I'd expect so, if you don't want you data going to Unifi's cloud.

 

[Mara]

I'd expect so, if you don't want you data going to Unifi's cloud.

Exactly :)
Thank you Danb!

 

[danb35]

On thinking further about this, I realized the "Unifi Cloud solution" you mention is ambiguous. You could be referring to

• Cloud access to your (local, on-site) controller, or
• Unifi hosting your controller in the cloud.

The first issue is completely orthogonal to this thread--wherever the controller is running (whether on a Raspberry Pi, on a Linux VM, on a FreeNAS jail, a (very confusingly-named) Cloud Key, or as an application on one of your computers), it has to be running in order for you to access it from outside your network. Unifi's solution for that is fairly straightforward and probably reasonably secure, but it wouldn't at all replace what this thread is talking about; it would augment it.

The second bullet would substitute for what this thread is talking about. Unifi will host your controller in the cloud, letting you manage your network from anywhere. There's a cost for this, of course, and I'm having a hard time finding out how much, but suffice to say it probably wouldn't be economical for a home network. If you want a cloud-hosted Unifi controller for home (or other small installation), I'd look at https://hostifi.net/ instead, who will do it for free for up to 25 devices.

Finally, realize that in most cases, you don't need to having the Unifi controller running full-time. You would need it in order to enforce a captive portal (e.g., for a guest network), and you do need it to modify your network setup (like by adding or replacing devices), but in most cases, your network will run just fine without it.

 

[Mara]

On thinking further about this, I realized the "Unifi Cloud solution" you mention is ambiguous. You could be referring to

• Cloud access to your (local, on-site) controller, or
• Unifi hosting your controller in the cloud.

The first issue is completely orthogonal to this thread--wherever the controller is running (whether on a Raspberry Pi, on a Linux VM, on a FreeNAS jail, a (very confusingly-named) Cloud Key, or as an application on one of your computers), it has to be running in order for you to access it from outside your network. Unifi's solution for that is fairly straightforward and probably reasonably secure, but it wouldn't at all replace what this thread is talking about; it would augment it.

The second bullet would substitute for what this thread is talking about. Unifi will host your controller in the cloud, letting you manage your network from anywhere. There's a cost for this, of course, and I'm having a hard time finding out how much, but suffice to say it probably wouldn't be economical for a home network. If you want a cloud-hosted Unifi controller for home (or other small installation), I'd look at https://hostifi.net/ instead, who will do it for free for up to 25 devices.

Finally, realize that in most cases, you don't need to having the Unifi controller running full-time. You would need it in order to enforce a captive portal (e.g., for a guest network), and you do need it to modify your network setup (like by adding or replacing devices), but in most cases, your network will run just fine without it.

You are really good. I will call you Wikidanb!

Yes,I was talking about the second option! I did not think the service was paying. No matter, you're right about the privacy of our data!
I have a UAP-AC-LITE and when I had formatted my computer I had forgotten Unifi..........and the password!
I was lazy to reset my AP and as you say, everything continues to work.


I will try your tutorial, I hope to make it happen
Thx!!

 

[danb35]

I will try your tutorial

This isn't mine; I haven't even used this guide (I used the script prepared by @kjake) (obviously I lost track of what thread I was on), but the Unifi controller does run pretty well in a jail. I've been using a Cloud Key since late last year, though.

 

[Mara]

If anyone has an idea: I followed the tutorial (with the option Cloudflare) but after launching the script unifi-jail.sh my iocage/jails/unifi was destroyed.
The installation has been maintained but can not reach https://unifi.xxx.xx:8443/
My folders are here:
/mnt/Stockage/unifi/data
/mnt/Stockage/unifi/logs
/mnt/Stockage/unifi/dehydrated

I created a iocage/jail/unifi with vnet and I mounted the 3 folders whithin this jail.

Sorry for my bad level :(

below the end of my installation:

===> p5-Locale-gettext-1.07 depends on file: /usr/local/sbin/pkg - found
=> gettext-1.07.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch https://cpan.metacpan.org/modules/by-module/Locale/gettext-1.07.tar.gz
gettext-1.07.tar.gz 100% of 8651 B 123 MBps 00m00s
===> Fetching all distfiles required by p5-Locale-gettext-1.07 for building
===> Extracting for p5-Locale-gettext-1.07
=> SHA256 Checksum OK for gettext-1.07.tar.gz.
===> Patching for p5-Locale-gettext-1.07
===> Applying FreeBSD patches for p5-Locale-gettext-1.07
===> p5-Locale-gettext-1.07 depends on executable: msgfmt - found
===> p5-Locale-gettext-1.07 depends on package: perl5>=5.28.r1<5.29 - found
===> p5-Locale-gettext-1.07 depends on shared library: libintl.so - found (/usr/local/lib/libintl.so)
===> Configuring for p5-Locale-gettext-1.07
env: /usr/local/bin/perl5.28.2: No such file or directory
*** Error code 127

Stop.
make[6]: stopped in /usr/ports/devel/p5-Locale-gettext
*** Error code 1

Stop.
make[5]: stopped in /usr/ports/misc/help2man
*** Error code 1

Stop.
make[4]: stopped in /usr/ports/print/texinfo
*** Error code 1

Stop.
make[3]: stopped in /usr/ports/devel/m4
*** Error code 1

Stop.
make[2]: stopped in /usr/ports/devel/scons
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/databases/mongodb36
*** Error code 1

Stop.
make: stopped in /usr/ports/net-mgmt/unifi5

sh: cannot open /etc/dehydrated/install.sh: No such file or directory

chown: unifi: illegal user name

unifi_enable: -> YES

mongod_enable: -> NO

weekly_dehydrated_enable: -> YES

 

[danb35]

Rather than building the Unifi port, try pkg install unifi5.

 

[Mara]

Thanks danb35 (always you ;))

Is it in this script that I have to make this change?
Maybe you see incorrect paths?

#!/bin/sh
JAIL_IP=192.168.1.10
JAIL_PATH=/mnt/Stockage/iocage/jails
JAIL_NAME=unifi
DEFAULT_GW_IP=192.168.1.254

iocage stop ${JAIL_NAME}
iocage destroy -f ${JAIL_NAME}
echo '{"pkgs":["openjdk8","python","mongodb34","bash","snappyjava","gmake","gettext","indexinfo","zip","git","dehydrated","py27-pip"]}' > /tmp/pkg.json
iocage create --name "${JAIL_NAME}" -p /tmp/pkg.json -r 11.2-RELEASE ip4_addr="vnet0|${JAIL_IP}/24" vnet="on" allow_raw_sockets="1" defaultrouter="${DEFAULT_GW_IP}" boot="on" host_hostname="${JAIL_NAME}" mount_linprocfs="1"
rm /tmp/pkg.json
iocage fstab -a ${JAIL_NAME} linproc /proc linprocfs rw 0 0
iocage exec ${JAIL_NAME} "if [ -z /usr/ports ]; then portsnap fetch extract; else portsnap auto; fi"
iocage exec ${JAIL_NAME} make -C /usr/ports/net-mgmt/unifi5 clean install BATCH=yes
iocage exec ${JAIL_NAME} sh /etc/dehydrated/install.sh
iocage exec ${JAIL_NAME} chown -R unifi /usr/local/share/java/unifi
iocage exec ${JAIL_NAME} sysrc -f /etc/rc.conf ${JAIL_NAME}_enable="YES"
iocage exec ${JAIL_NAME} sysrc -f /etc/rc.conf mongod_enable="NO"
iocage exec ${JAIL_NAME} sysrc -f /etc/periodic.conf weekly_dehydrated_enable="YES"
iocage exec ${JAIL_NAME} sysrc -f /etc/periodic.conf weekly_dehydrated_deployscript="/etc/dehydrated/deploy.sh""
iocage restart ${JAIL_NAME}
iocage exec ${JAIL_NAME} sh /etc/dehydrated/deploy.sh

 

[danb35]

Well, it's been a while since I've used it, but I'd change the echo line to read:

Code:

echo '{"pkgs":["openjdk8","python","mongodb34","bash","snappyjava","gmake","gettext","indexinfo","zip","git","dehydrated","py27-pip","unifi5"]}' > /tmp/pkg.json

...and take out the lines that read:

Code:

iocage exec ${JAIL_NAME} "if [ -z /usr/ports ]; then portsnap fetch extract; else portsnap auto; fi"
iocage exec ${JAIL_NAME} make -C /usr/ports/net-mgmt/unifi5 clean install BATCH=yes

 

[Mara]

thank you !
I still have this errors in the end of installation:

* Starting unifi
+ Started OK
+ Configuring VNET OK
+ Starting services OK
Successfully added mount to unifi's fstab
sh: cannot open /etc/dehydrated/install.sh: No such file or directory


unifi_enable: -> YES

mongod_enable: -> NO

weekly_dehydrated_enable: -> YES

./unifi-jail.sh: 18: Syntax error: Unterminated quoted string

Do you think it could be blocking afterwards?
/etc/dehydrated/deploy.sh << wouldn't it be better that I change this path? cause mind is here : /mnt/Stockage/unifi/dehydrated/deploy.sh

 

[danb35]

wouldn't it be better that I change this path?

No, it wouldn't. The path in the script refers to where the script is found in the jail, not in your FreeNAS filesystem. I think you've missed some of the preparatory steps--take a closer look at https://github.com/kjake/freenas-iocage-unifi.

 

[Mara]

Hi danb!
So, I really followed the procedure, 2 times, to the millimeter and the problem still persists for me...
I made the decision to simply install unifi5 in a new iocage. He turns perfectly.
Do you know if I can still install the certificates let's encrypt with openssl?

If not then I'll be fine :)

 

[danb35]

Do you know if I can still install the certificates let's encrypt with openssl?

Sure, you'll just need to duplicate what the script was trying to do. You can use dehydrated as @kjake does in his script or use a different client of your preference (I tend to favor acme.sh these days).

 

[Mara]

Hi Danb35, I'm really not being talented but after trying several hours with Dehydrated I never managed to run his script ...
I would like use acme.sh, do you know a link where would a procedure be described to simply use it and if I have prerequisites for use it?
Thank you for everything