After UDMP firmware upgrade from 1.8.5 to 1.8.6 I tired to install the udm-le.sh script again, but it does not work anymore...

1. unifi-os shell
2. mkdir /mnt/data
3. mkdir /mnt/data/udm-le
4. cd /mnt/data/udm-le
5. wget https://raw.githubusercontent.com/kchristensen/udm-le/master/udm-le.sh
6. chmod +x udm-le.sh
7. wget https://raw.githubusercontent.com/kchristensen/udm-le/master/udm-le.env
8. apt install nano
9. nano udm-le.env set CERT_EMAIL, CERT_HOSTS, ENABLE_CAPTIVE=yes, DNS_PROVIDER='cloudflare', CLOUDFLARE_DNS_API_TOKEN=my_cloudflare_API_token
10. /mnt/data/udm-le/udm-le.sh initial

concole output:
root@ubnt:/mnt/data/udm-le# /mnt/data/udm-le/udm-le.sh initial
/mnt/data/udm-le/udm-le.sh: 66: /mnt/data/udm-le/udm-le.sh: /etc/init.d/crond: not found

If I change /etc/init.d/crond reload ${CRON_FILE} to /etc/init.d/cron reload ${CRON_FILE} on line 66 in /mnt/data/udm-le/udm-le.sh there is another error:
root@ubnt:/mnt/data/udm-le# /mnt/data/udm-le/udm-le.sh initial
Attempting initial certificate generation
/mnt/data/udm-le/udm-le.sh: 80: /mnt/data/udm-le/udm-le.sh: podman: not found

I've gotten my cloudflare account set up, got my TLD set up in cloudflare, set up dynamic dns via dnsomatic for the UDM-Pro, then finally tried installing your script. It looks awesome but isn't running properly for me.

Any help will be appreciated. My error is:

2020/08/03 20:07:05 [WARN] [www.MYDOMAIN.us] acme: cleaning up failed: cloudflare: failed to find zone MYDOMAIN.us.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content "{\"success\":false,\"errors\":[{\"code\":6003,\"message\":\"Invalid request headers\",\"error_chain\":[{\"code\":6111,\"message\":\"Invalid format for Authorization header\"}]}],\"messages\":[],\"result\":null}" 
2020/08/03 20:07:05 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6298189063
2020/08/03 20:07:05 Could not obtain certificates:
	error: one or more domains had a problem:
[www.MYDOMAIN.us] [www.MYDOMAIN.us] acme: error presenting token: cloudflare: failed to find zone MYDOMAIN.us.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content "{\"success\":false,\"errors\":[{\"code\":6003,\"message\":\"Invalid request headers\",\"error_chain\":[{\"code\":6111,\"message\":\"Invalid format for Authorization header\"}]}],\"messages\":[],\"result\":null}"

Thanks!

Hi there,

I have an UDM Pro with the 1.8.0 firmware, set up the .env file using my cloudflare api token (with the specified token permissions) but I do get the following errors:

# /mnt/data/udm-le/udm-le.sh initial
Attempting initial certificate generation
2020/11/28 12:05:04 [INFO] [jbedge.mydomain.com] acme: Obtaining bundled SAN certificate
2020/11/28 12:05:05 [INFO] [jbedge.mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/123456789
2020/11/28 12:05:05 [INFO] [jbedge.mydomain.com] acme: Could not find solver for: tls-alpn-01
2020/11/28 12:05:05 [INFO] [jbedge.mydomain.com] acme: Could not find solver for: http-01
2020/11/28 12:05:05 [INFO] [jbedge.mydomain.com] acme: use dns-01 solver
2020/11/28 12:05:05 [INFO] [jbedge.mydomain.com] acme: Preparing to solve DNS-01
2020/11/28 12:05:45 [INFO] [jbedge.mydomain.com] acme: Cleaning DNS-01 challenge
2020/11/28 12:06:25 [WARN] [jbedge.mydomain.com] acme: cleaning up failed: cloudflare: could not find the start of authority for _acme-challenge.jbedge.mydomain.com.: read udp 1.2.3.4:53531->8.8.8.8:53: i/o timeout
2020/11/28 12:06:25 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/123456789
2020/11/28 12:06:25 Could not obtain certificates:
        error: one or more domains had a problem:
[jbedge.mydomain.com] [jbedge.mydomain.com] acme: error presenting token: cloudflare: could not find the start of authority for _acme-challenge.jbedge.mydomain.com.: read udp 1.2.3.4:53991->8.8.8.8:53: i/o timeout

The .env file looks like this:

#
# Required configuration
#

# Email for LetsEncrypt certificate issuance
CERT_EMAIL='[email protected]'

# The FQDN of your UDMP (comma separated fqdns are supported)
CERT_HOSTS='jbedge.mydomain.com'

# Enable updating Captive Portal certificate as well as device certificate
ENABLE_CAPTIVE='no'

# CloudFlare settings, see the README.md for information about other providers
# Note: Quoting your CLOUDFLARE_DNS_API_TOKEN below seems to cause issues
CLOUDFLARE_DNS_API_TOKEN=MYAPITOKEN
DNS_PROVIDER='cloudflare'

#
# Change stuff below at your own risk
#

# DNS_RESOLVERS supports a host:port if you need to override system DNS
DNS_RESOLVERS='8.8.8.8:53'

# Changing below requires changing line 6 of udm-le.sh
UDM_LE_PATH='/mnt/data/udm-le'

# These should only change if Unifi-OS core changes require it
CERT_IMPORT_CMD='java -jar /usr/lib/unifi/lib/ace.jar import_key_cert'
UBIOS_CERT_PATH='/mnt/data/unifi-os/unifi-core/config'
UNIFIOS_CERT_PATH='/data/unifi-core/config'

(replaced the personal domain/ids/ips/API Token with placeholder values)

I am a bit confused - this is basically a stock UDM Pro with no adjustments to the default firewall so I am a bit confused re: that I/O Error.. I can perform manual nslookups etc on the shell.. so maybe I am missing something and/or would somebody have any idea what's wrong here?

Thanks for any ideas/suggestions and especially thanks to @kchristensen for this project! 👍🏻

server.log:[2021-03-15T00:51:08,542] ERROR system - Unable to read certificate from the unifi chain. There are 2 certificates, but exactly 1 is expected

server.log:[2021-03-15T00:51:09,241] ERROR dev - WiFiman enabled but could not find certificate, skipping config

Apologies for raising this as an issue or if it's already covered elsewhere.

Is udm-le compatible with the current release of UniFi OS 3.0.20? I'm pretty sure it would be as the on-boot-script is working with 3.x but just want to double check.

Many thanks to Kyle C for his efforts on this project.

Seeing the below in the output, otherwise the script appears to work and a new cert was grabbed and unifi-os restarted.

2021-04-09 09:54:21,904 main ERROR Error processing element InMemoryAppender ([Appenders: null]): CLASS_NOT_FOUND
2021-04-09 09:54:22,997 main ERROR Unable to locate appender "InMemoryAppender" for logger config "root"

Expected
With the on-boot script, udm-le waits 5 minutes then installs certs and restarts unifi-os

Actual
The unifi-os restart command that the script runs doesn't work. Unifi-os is stopped but doesn't restart, everything is back to normal only after manually executing unifi-os restart.

UDM-PRO firmware 1.8.6
on-boot-script 1.0.4
udm-le 1.0.7

Describe the bug
I'm trying to configure OCI DNS which requires a client-side certificate which is stored in PEM format to be available. If I configure the environment variables in udm-le.env and run the script as documented, LEGO throws a "no such file or directory". However, if I override the entrypoint and run LEGO manually, it works just fine.

This is similar to #51 but the OCI provider doesn't have a _PATH variant and running the command manually works.

To Reproduce
Add the following to udm-le.env and run udm-le.sh initial:

DNS_PROVIDER='oraclecloud'
OCI_PRIVKEY_FILE='/root/.secrets/oci_api_key.pem'
OCI_PUBKEY_FINGERPRINT='00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00'
OCI_TENANCY_OCID='ocid1.tenancy.oc1..secret'
OCI_COMPARTMENT_OCID='ocid1.tenancy.oc1..secret'
OCI_USER_OCID='ocid1.user.oc1..secret'
OCI_REGION="us-ashburn-1"

If you launch the container and override the entrypoint and run this, it works just fine:

OCI_PRIVKEY_FILE="/root/.secrets/oci_api_key.pem" \
OCI_TENANCY_OCID="ocid1.tenancy.oc1..secret" \
OCI_USER_OCID="ocid1.user.oc1..secret" \
OCI_PUBKEY_FINGERPRINT='00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00' \
OCI_REGION="us-ashburn-1" \
OCI_COMPARTMENT_OCID="ocid1.compartment.oc1..secret" \
/usr/bin/lego --email [email protected] --dns oraclecloud --key-type rsa2048 -d '*.example.com' --accept-tos run

Expected behavior
I expected the script to work because it does manually. The only difference I can see is the use of single vs double quotes, so I'm going to try replacing the quote in udm-le.env to see if that fixes it.

Version Information (please complete the following information):

• UniFi OS: 1.12.13.4270
• Hardware Type: UDP Pro

I use a split horizon DNS with some local overrides for my desired domains. My UDMP is hitting these overrides when confirming propagation and does not continue. Lego supports specifying name servers and it would be great if the script allowed name servers to be specified in the .env file. Thanks

Is your feature request related to a problem? Please describe.
The LE certificates can additionally be used for radius authentication.

Describe the solution you'd like
Add an option to copy the certifcates:

# cp lego/certificates/cert.crt /mnt/data/udapi-config/raddb/certs/server.pem
# cp lego/certificates/cert.key /mnt/data/udapi-config/raddb/certs/server-key.pem

Describe alternatives you've considered
Manually copying + rebooting works, but it would be nice to have this included in the cron update to survive updates/LE cert rolls.

I can submit a PR if you'd be happy to have this feature added.

For boostchicken's on-boot-script it is not clear for me what file to put in the /mnt/data/on_boot.d.

Is that the /mnt/data/udm-le/udm-le.sh but how to pass initial parameter then?
Or should i just copy /mnt/data/on_boot.d/99-udm-le.sh in there?

@kchristensen I was hoping to be able to provide a pull request with instructions for GCP, but I've run into problems. I've introduced a serviceaccount directory, with a sa.json file for interacting with GCP.

# ./udm-le.sh  initial
Attempting initial certificate generation
2020/12/23 02:49:01 Failed to read the file /mnt/data/udm-le/serviceaccount/sa.json (defined by env var GCE_SERVICE_ACCOUNT_FILE): open /mnt/data/udm-le/serviceaccount/sa.json: no such file or directory
2020/12/23 02:49:03 googlecloud: project name missing

# ls -l serviceaccount/sa.json 
-rw-r--r--    1 root     root          2326 Dec 22 21:11 serviceaccount/sa.json

My experiments on localhost suggested that with lego, you really only needed the GCE_SERVICE_ACCOUNT_FILE to be set. I'm under the assumption that there are NO other pre-requisites to what you described in the readme.

Hi,
Not sure if I one something wrong, but the script fails on finding my zone. zone polska.org.pl

UDM-le env:

Required configuration

Email for LetsEncrypt certificate issuance

CERT_EMAIL='[email protected]'

The FQDN of your UDMP (comma separated fqdns are supported)

CERT_HOSTS='polska.org.pl'

Enable updating Captive Portal certificate as well as device certificate

ENABLE_CAPTIVE='no'

CloudFlare settings, see the README.md for information about other providers

CLOUDFLARE_DNS_API_TOKEN='MYTOKENFROMCLOUDFLARE'
DNS_PROVIDER='cloudflare'

Change stuff below at your own risk

DNS_RESOLVERS supports a host:port if you need to override system DNS

DNS_RESOLVERS=''

Changing below requires changing line 6 of udm-le.sh

UDM_LE_PATH='/mnt/data/udm-le'

These should only change if Unifi-OS core changes require it

CERT_IMPORT_CMD='java -jar /usr/lib/unifi/lib/ace.jar import_key_cert'
UBIOS_CERT_PATH='/mnt/data/unifi-os/unifi-core/config'
UNIFIOS_CERT_PATH='/data/unifi-core/config'

Information during running the script:

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/var/lib/lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2020/08/25 08:00:39 [INFO] [polska.org.pl] acme: Obtaining bundled SAN certificate
2020/08/25 08:00:40 [INFO] [polska.org.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6760625124
2020/08/25 08:00:40 [INFO] [polska.org.pl] acme: Could not find solver for: tls-alpn-01
2020/08/25 08:00:40 [INFO] [polska.org.pl] acme: Could not find solver for: http-01
2020/08/25 08:00:40 [INFO] [polska.org.pl] acme: use dns-01 solver
2020/08/25 08:00:40 [INFO] [polska.org.pl] acme: Preparing to solve DNS-01
2020/08/25 08:00:41 [INFO] [polska.org.pl] acme: Cleaning DNS-01 challenge
2020/08/25 08:00:42 [WARN] [polska.org.pl] acme: cleaning up failed: cloudflare: failed to find zone polska.org.pl.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content "{"success":false,"errors":[{"code":6003,"message":"Invalid request headers","error_chain":[{"code":6111,"message":"Invalid format for Authorization header"}]}],"messages":[],"result":null}"
2020/08/25 08:00:42 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6760625124
2020/08/25 08:00:42 Could not obtain certificates:
error: one or more domains had a problem:
[polska.org.pl] [polska.org.pl] acme: error presenting token: cloudflare: failed to find zone polska.org.pl.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content "{"success":false,"errors":[{"code":6003,"message":"Invalid request headers","error_chain":[{"code":6111,"message":"Invalid format for Authorization header"}]}],"messages":[],"result":null}"

Is this some kind of bug, or I just wrongly use the CERT_HOSTS='polska.org.pl' field?

My CloudFlare API token setup

Describe the bug
In certain configurations/newer versions of the UDM(P) rc.radius does no longer exist, which can prevent FreeRADIUS from actually using newly issued certificates.

To Reproduce
Steps to reproduce the behavior:

1. Configure to issue radius certificates.
2. Observe that FreeRADIUS is not restarted and does not use correct certificates.

Expected behavior
The FreeRADIUS service is restarted and uses the newly issued certificates.

Screenshots
N/A

Version Information (please complete the following information):

• UniFi OS: 1.11.4 & 1.12.22
• Hardware Type: UDM-P

Additional context
rc.radiusd should be used instead.

Hi,

I've just moved my haproxy instance directly on my UDM Pro, using udm-utilities.
For now I've copy pasted my certificates directory manually, but I wonder if there's a way to use this udm-le to handle renewing them automatically ?

Basically in addition to generating and installing a certificate for the UDM, it would also need to generate some .pem files in a given directory, and ideally run prodman restart haproxy afterwards.

Thanks

Main issue: the udm-le.sh script errors out after UDM/B upgrade to 2.4.x firmware*

Main changes to Unifi-OS:
• podman is gone
• replaced by java
• main unifi path is /data/unifi-core/config

Let me know if you need logs etc.

• https://community.ui.com/releases/UniFi-OS-Dream-Machines-2-4-23/aebbba64-9e7e-4151-bcca-34ed08761f08?page=24

Hi,

I followed the manual, customized the .env-file and while it's running, I can see that the script is downloading some files from lego, created a personal key pair, but then the script needs to check via the API at TransIP. But everytime, the script is saying that he can't find the .key-file.
I see the file with the ls-command and via WinSCP in the same directory as the .env- and .sh-files.
See the screenshots for more info.

Who can help me? Thanks in advance.

The goacme/lego container runs using the root user internally so it needs the path for .aws to be mounted at /root/.aws instead of at /home/lego/.aws.

so the Cloud Key Gen2 Plus just got Unifi OS and I'm running the 2.0.22 FW.

I'm trying to get this to work but the first issue is that /etc/init.d/crond is not found. It's called cron instead. Second, podman is not installed and I can't seem to get it from aptitude.

Any thoughts? Am I wrong in thinking this should work for the Cloud Key Gen2 plus?

thanks for all your help!

Hi

I am new to this and followed along with your steps on my UDM-P and keep getting the following error when I try to run "/mnt/data/udm-le/udm-le.sh initial":

"root@ubnt:/# /mnt/data/udm-le/udm-le.sh initial
bash: /mnt/data/udm-le/udm-le.sh: No such file or directory"

I can only navigate to /mnt/ and when I "ls" only "persistent" shows but Winscp clearly shows more

• UniFi OS: Firmware Version 1.9.3 (Network - 6.2.25)
• Hardware Type: UDM-Pro

Hi!

i got your great script running to renew an lets encrypt certificate with azure dns.

after that, i installed the on-boot-script for persistant from boostchicken.

when i copy the 99-udm-le.sh into the on_boot.d folder it runs but doesn't start the unifi-os afterwards.

i changed the line 89 in the udm-le.sh from:
${PODMAN_CMD} ${LEGO_ARGS} renew --days 60 && deploy_cert && add_captive && unifi-os restart

to
${PODMAN_CMD} ${LEGO_ARGS} renew --days 60 && deploy_cert && add_captive && unifi-os

without the restart option at the end.

now it runs perfectly after reboots. dont know why this happen (im not an expert in coding) only for your information maybe you know how to correct it or why this happen. ;)

greetings!

UDM Info: (base the round one)
controller 6.0.28
fw 1.8.0

Running initial, I get through the certificate generation without a hitch - using Cloudflare for DNS and I see in their logfile where the challenge records are written and deleted successfully. At the end of the process, the certificate is not installed and stalls with message: "New certificate was generated, time to deploy it".

I've deleted/replaced files, rebooted router, restarted shell, but no luck with it yet. No errors, just sits at the message above. Nothing interesting in the UDM logs either. Ideas?

UDM Pro (v1.11.0-14)

runnning:
./udm-le.sh initial
in folder /mnt/data/udm-le
returns error:
/.udm-le.sh: /mnt/data/udm-le/udm-le.env: line 20: lego: not found

udm-le.env.txt

Great work on putting this together. I use route53 for my LE authentication and was running into an issue using this tool.

I set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_HOSTED_ZONE_ID, and AWS_REGION values in udm-le.env so the contents of the file look like this (with secret replacing the actual strings:

# Email for Let'sEncrypt cert issuance
CERT_EMAIL='secret'
# The FQDN of your UDMP (comma separated fqdns are supported)
CERT_HOSTS='mydomain.com,*.mydomain.com'
# Create a Cloudflare API token with DNS:Edit & Zone:Read permissions limited to your zone
#CLOUDFLARE_DNS_API_TOKEN=''
# Change stuff below at your own risk
DNS_PROVIDER='route53'
UDM_LE_PATH='/mnt/data/udm-le'
AWS_ACCESS_KEY_ID='secret'
AWS_SECRET_ACCESS_KEY='secret'
AWS_HOSTED_ZONE_ID='secret'
AWS_REGION='secret'

digging into the script, I see that the command that is run is constructed like so:

podman run --env-file=/mnt/data/udm-le/udm-le.env -it --name=lego --network=host --rm -v /mnt/data/udm-le/lego/:/var/lib/lego/hectormolinero/lego --dns route53 --email secret -d mydomain.com -d *.mydomain.com --key-type rsa2048 --accept-tos run && deploy_cert

Running the tool unmodified, I'd get this output:

2020/07/15 03:02:50 [WARN] [*.mydomain.com] acme: cleaning up failed: route53: InvalidClientTokenId: The security token included in the request is invalid.
	status code: 403, request id: some_uuid

I attempted to run this command outside of your script on the UDM shell and I get the same error:
# podman run --env-file /mnt/data/udm-le/udm-le.env --name=lego --network=host --rm -v /mnt/data/udm-le/lego/:/var/lib/lego/ hectormolinero/lego --dns route53 --email secret-d mydomain.com -d *.mydomain.com --key-type rsa2048 --accept-tos run && deploy_cert

However if I alter the shell command and replace the --env-file with -e values like this:
podman run -e AWS_ACCESS_KEY_ID='secret' -e AWS_SECRET_ACCESS_KEY='secret' -e AWS_HOSTED_ZONE_ID='secret' -e AWS_REGION='secret' -it --name=lego --network=host --rm -v /mnt/data/udm-le/lego/:/var/lib/lego/hectormolinero/lego --dns route53 --email secret -d mydomain.com -d *.mydomain.com --key-type rsa2048 --accept-tos run && deploy_cert

I'm able to successfully pass the authentication.

2020/07/15 03:31:55 [INFO] [mydomain.com] acme: use dns-01 solver
2020/07/15 03:31:55 [INFO] [*.mydomain.com] acme: Preparing to solve DNS-01
2020/07/15 03:31:56 [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]

HOWEVER, interestingly, attempting to hardcode those values into the PODMAN_CMD variable in your script DOES NOT work as it does on the shell.

Thoughts?

As far as I can tell the environment variables do not get referenced from the file when the container runs, but I haven't been able to determine if that is accurate. adding --log-level=debug to the podman command output anything more useful (like that the environment variables are being set).

Running the command gives:
#/mnt/data/udm-le/udm-le.sh initial
: not founddm-le/udm-le.sh: /mnt/data/udm-le/udm-le.env: line 4:

First 4 lines of udm-le.sh :
#!/bin/sh
set -e
#Load environment variables
. /mnt/data/udm-le/udm-le.env

ls -l of /mnt/data/udm-le/
-rw-r--r-- 1 root root 5225 Jan 6 01:50 CODE_OF_CONDUCT.md
-rw-r--r-- 1 root root 1073 Jan 6 01:50 LICENSE
-rw-r--r-- 1 root root 2966 Jan 6 01:50 README.md
drwxr-xr-x 2 root root 4096 Jan 6 01:53 on_boot.d
-rw-r--r-- 1 root root 1298 Jan 6 01:57 udm-le.env
-rwxr-xr-x 1 root root 3299 Jan 6 01:50 udm-le.sh

Any suggestions?

Is your feature request related to a problem? Please describe.
The UDM Pro SE does not use containers. The unifi-core runs directly, outside of a container. You can get things to work, and maybe someone will find this suggestion helpful to getting it working on their own UDM Pro SE, even if the suggestion is not accepted.

Describe the solution you'd like
It should be pretty simple to update the script to detect a UDM Pro SE. Perhaps looking for the unifi-os or something (if it is not present, then its a SE?). Sadly I don't have access to a non-SE unit to compare and create this check properly.

Describe alternatives you've considered
I've hacked up the scripts into something that works for me. Basically, new paths and a new restart command:

• UBIOS_CONTROLLER_CERT_PATH='/data/unifi-core/config' puts the certs in the right place
• systemctl restart unifi-core.service restarts the services (unifi-os restart is not available on the UDMPSE as there isn't a container)

Additional context

• The UDM Pro SE does not have podman so you need to install that first from udm-utilities
• Side note, I do get odd errors from the shell script such as:

./udm-le.sh: 17: ./udm-le.sh: Bad substitution
./udm-le.sh: 25: [: no: unexpected operator
./udm-le.sh: 29: [: no: unexpected operator
./udm-le.sh: 41: [: true: unexpected operator

I'm not sure if the sh interpreter is different on the UDMPSE or what. Shell scripting make my head hurt. (esac, really? who created this syntax 😄)

Keep getting permissions denied. Cant seem to find why. Tried with sudo, sudo -o. This is my first time doing this, thanks for help

Describe the bug
There seems to be an issue with the registries of podman to pull the LEGO-Container. But actually I have no clue how to fix this

To Reproduce
Steps to reproduce the behavior:

1. ssh into unifi system
2. run /mnt/data/udm-le/udm-le.sh renew

Expected behavior
Certificate should be renewed

What happens
/mnt/data/udm-le/udm-le.sh renew
Attempting certificate renewal
podman run --env-file=/mnt/data/udm-le/udm-le.env -it --name=lego --network=host --rm -v /mnt/data/udm-le/lego/:/.lego/ : --dns inwx --email [email protected] --key-type rsa2048 --dns.resolvers 8.8.8.8 -d unifi.xxxxxxxxxx.org
Error: unable to pull :: error getting default registries to try: invalid reference format

Version Information (please complete the following information):

• UniFi OS: 1.11.0
• Hardware Type: UniFi OS UDM Pro 1.11.0

Describe the bug
Hi,

I receive the error message below when I run the script on my UDM Pro.
What does it mean? And what am I doing wrong?

Thanks

> root@UDM-Pro:~# /mnt/data/udm-le/udm-le.sh initial
> /mnt/data/udm-le/udm-le.sh: 34: /mnt/data/udm-le/udm-le.sh: [[: not found
> Attempting initial certificate generation
> /mnt/data/udm-le/udm-le.sh: 176: /mnt/data/udm-le/udm-le.sh: podman: not found

trying to run the initial setup and get the error:
: not found: /mnt/data/udm-le/udm-le.env: line 4:

UniFi OS UDM Pro 1.11.0-14

Describe the bug
this isn't really a bug in udm-le (it is a feature regression in udm-core). I'm adding the issue here o maybe help other uem-le users who encounter the same problem. When updating to 1.11.0, the unifi-core service failed to start. It couldn't use my letsencrypt crt failing with "Error loading certificate /data/unifi-core/config/unifi-core.crt Cannot read public key. OID is not RSA." My cert was ASN1 OID: prime256v1, NIST CURVE: P-256.

My community.ui.com thread has copies of yhe logged errors.
https://community.ui.com/questions/UniFi-OS-is-starting/3a0a50ea-8392-418a-b4f2-64bcede58d48

Version Information (please complete the following information):

• UniFi OS: 1.11.0
• Hardware Type: UDM

Additional context
I was able to run unifi-os shell, then remove my custom crt and key from /data/unifi-core/config/. The udm will the gen a self signed cert.

I suspect they reworked the cert management code in this release and it isn't configured for anything but RSA. I hope they fix this soon so we dont have to config lego to generate rsa certa. Maybe well find out more after the weekend.

Describe the bug
Cannot pull Lego

# /mnt/data/udm-le/udm-le.sh initial
Attempting initial certificate generation
Trying to pull docker.io/goacme/lego:v4.4.0-arm.v8...
  Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 127.0.0.1:53: read udp 127.0.0.1:51576->127.0.0.1:53: i/o timeout
Error: unable to pull docker.io/goacme/lego:v4.4.0-arm.v8: unable to pull image: Error initializing source docker://goacme/lego:v4.4.0-arm.v8: pinging docker registry returned: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 127.0.0.1:53: read udp 127.0.0.1:51576->127.0.0.1:53: i/o timeout

I tried setting custom DNS in the .env file aswell, no change.
Not sure where the issue is

To Reproduce
1- Copy files to UDM pro
2- edit variables, I used duckdns
3- for some reasons udm-le.sh wasn't set to be executable, set it with chmod +x udm-le.sh
4- run /mnt/data/udm-le/udm-le.sh initial

Expected behavior
Expected to work.

Version Information (please complete the following information):

• UniFi OS: [1.11.0-16]
• Hardware Type: UDM-Pro

Unfortunately, the guest portal use the self-signed unifi certificate.
Is it possible to change this also to the let's encrypt certificate?

Maybe this could help:
https://community.ui.com/questions/UDM-Pro-SSL-Certificate-1-6-4/71476759-72ce-465a-ad79-5f4559312a0e#answer/49e371f2-9b3a-4e79-b9d9-63758c54242e

but it is not reboot safe.

Regards

Here is what I have tried so far:

adding to LEG_ARGS in udm-le.sh:
--http --http.port :81

and while testing:
--server https://acme-staging-v02.api.letsencrypt.org/directory

Adding port forwarding from 80 to 81

acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://<url>/.well-known/adme-challenge/<token>: Timeout during connect (likely firewall problem)

Not sure if this method will even work as port 80 seems to be in use, most likely it's hidden and in use for unifi-os.

Anyone else got any ideas of things to try to get http-01 to work?

Describe the bug
I have followed the installation steps and tried to make use of the DNS provider "Loopia", supported by Lego, by adding the following to udm-le.env:

# Loopia
DNS_PROVIDER='loopia'
LOOPIA_API_USER=user@loopiaapi
LOOPIA_API_PASSWORD=password

This works as intended but I do not want to write out my actual password in this configuration file. Instead I tried to make use of the _FILE suffix, e.g. LOOPIA_API_PASSWORD_FILE=/root/.secrets/password.txt but then received this message:

_2022/08/01 19:57:33 Failed to read the file /root/.secrets/password.txt (defined by env var LOOPIA_API_PASSWORD_FILE): open /root/.secrets/password.txt: no such file or directory
2022/08/01 19:57:33 loopia: some credentials information are missing: LOOPIA_API_PASSWORD

I tried chmod 777 for password.txt but that resulted in the same error message. I also tried to move the password file to the same location as where I keep the udm-le.env file. That did not work.

Expected behavior
I expected "udm-le.env" to retrieve the password for my API-user from a separate file with restricted read access; For instance only root have read access to the password file.

Version Information (please complete the following information):

• UniFi OS: 1.12.22
• Hardware Type: UDM Pro

Additional context
Add any other context about the problem here.

Describe the bug
I'm trying to initialize. CLI output below. I don't understand why the script cannot read the service account secret file. I don't see a problem w/the default permissions on the file. I'm using Google Cloud DNS.

# /mnt/data/udm-le/udm-le.sh initial
Attempting initial certificate generation
2022/01/04 19:40:05 Failed to read the file /mnt/data/udm-le/.secrets/almondnet-3d4f08b80060.json (defined by env var GCE_SERVICE_ACCOUNT_FILE): open /mnt/data/udm-le/.secrets/almondnet-3d4f08b80060.json: no such file or directory
2022/01/04 19:40:07 googlecloud: project name missing

# ls -al /mnt/data/udm-le/.secrets/almondnet-3d4f08b80060.json
-rw-r--r--    1 root     root          2298 Jan  4 11:22 /mnt/data/udm-le/.secrets/almondnet-3d4f08b80060.json
# stat /mnt/data/udm-le/.secrets/almondnet-3d4f08b80060.json
  File: /mnt/data/udm-le/.secrets/almondnet-3d4f08b80060.json
  Size: 2298      	Blocks: 8          IO Block: 4096   regular file
Device: 816h/2070d	Inode: 392472      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2022-01-04 11:22:55.000000000
Modify: 2022-01-04 11:22:55.000000000
Change: 2022-01-04 11:22:55.00000000

Here is my provider section:

# Google Cloud DNS
# Note: The default path for the service account file is /root/.secrets
DNS_PROVIDER='gcloud'
GCE_SERVICE_ACCOUNT_FILE=/mnt/data/udm-le/.secrets/almondnet-3d4f08b80060.json
GCE_PROPAGATION_TIMEOUT=3600

Version Information (please complete the following information):

• UniFi OS: 1.11.0
• Hardware Type: UDMP

Is your feature request related to a problem? Please describe.
Current udm-le will not run on udm pro-se since unifi-os shell and podman are no longer included. Response to udm-le.sh initial is:
/mnt/data/udm-le/udm-le.sh: 34: /mnt/data/udm-le/udm-le.sh: [[: not found
Attempting initial certificate generation
/mnt/data/udm-le/udm-le.sh: 176: /mnt/data/udm-le/udm-le.sh: podman: not found

Describe the solution you'd like
Provide a clean updated fork solution for udm pro-se users seeking ssl certificate through a dns provider (e.g., cloudflare).

Describe alternatives you've considered
I've looked at various postings by others but have yet to find a solution that works. I also found a tread that you and team were trying to tackle this Nov 2021.

Additional context
I'm new at this but have been successful in using letsencrypt with traefik/portainer or certbot. However, I'm struggling with udm pro-se. If you have already developed a solution, please relay all the appropriate steps that need to be taken to get a ssl certificate (including a persistent solution or an add on to work even with a new firmware update). Thanks!

I would like to use TransIP as a DNS provider. According to the LEGO documentation, this should work. However I run into an error on the first run. The error is as follows
# /mnt/data/udm-le/udm-le.sh initial /mnt/data/udm-le/udm-le.sh: /mnt/data/udm-le/udm-le.env: line 55: TRANSIP_ACCOUNT_NAME: not found

I tried adding transip to the DNS_RESOLVERS variable to no avail

Could transip be added to the list of DNS providers?

Hi - awesome work on this; made my day to be able to find the utilities and your lets encrypt support.

I see the script supports both the main cert and the portal - is it also possible to support the RADIUS server too?

I can dig in and make a PR if I have some direction as to how this works...

Thanks!

Emlyn

upon running the script i get :

Attempting initial certificate generation
No help topic for '@gmail.com'

This process works great for updating the SSL cert served when accessing the UDM pro admin interface, however, it does not update the Guest Portal. This cert is stored as a keystore and you need to run two additional commands to first create the pkcs12 and then use that to import via keytool.

cp podman exec unifi-os openssl pkcs12 -export -in ${UBIOS_CERT_PATH}/unifi-core.crt -inkey ${UBIOS_CERT_PATH}/unifi-core.key -out ${UBIOS_CERT_PATH}/unifi.p12 -name unifi -caname root -passin pass:aircontrolenterprise -passout pass:aircontrolenterprise
cp podman exec unifi-os keytool -noprompt -importkeystore -srckeystore ${UBIOS_CERT_PATH}/unifi.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -storepass aircontrolenterprise

The new deploy_cert() function looks like:

deploy_cert() {
# Re-write CERT_NAME if it is a wildcard cert. Replace * with _
LEGO_CERT_NAME=${CERT_NAME/*/_}
if [ "$(find -L "${UDM_LE_PATH}"/lego -type f -name "${LEGO_CERT_NAME}".crt -mmin -5)" ]; then
echo 'New certificate was generated, time to deploy it'
# Controller certificate
cp -f ${UDM_LE_PATH}/lego/certificates/${LEGO_CERT_NAME}.crt ${UBIOS_CERT_PATH}/unifi-core.crt
cp -f ${UDM_LE_PATH}/lego/certificates/${LEGO_CERT_NAME}.key ${UBIOS_CERT_PATH}/unifi-core.key
chmod 644 ${UBIOS_CERT_PATH}/unifi-core.*
cp podman exec unifi-os openssl pkcs12 -export -in ${UBIOS_CERT_PATH}/unifi-core.crt -inkey ${UBIOS_CERT_PATH}/unifi-core.key -out ${UBIOS_CERT_PATH}/unifi.p12 -name unifi -caname root -passin pass:aircontrolenterprise -passout pass:aircontrolenterprise
cp podman exec unifi-os keytool -noprompt -importkeystore -srckeystore ${UBIOS_CERT_PATH}/unifi.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -storepass aircontrolenterprise
NEW_CERT="yes"
else
echo 'No new certificate was found, exiting without restart'
fi
}

I am trying to create this with route53 setup. I have a hosted zone configured which i use from my Synology to update the IP of my network. Where are the log files located when the script is running? I have checked the /var/log/messages and am not seeing anything. At this time when I run install it has setup the jobs. I do not see it performing any certificate updates as my files are from feb 1st.

Incase this is asked by someone else, I have noted that when using udm-le to import create/import certs you may face issues with Wifiman in Unifi Network 6.1.x

I upgraded to Unifi Network 6.1.69 (beta) which gave me some valuable debug info when I toggle on/off Wifiman integration

server.log:[2021-03-15T00:51:08,542] <inform-13> ERROR system - Unable to read certificate from the unifi chain. There are 2 certificates, but exactly 1 is expected

server.log:[2021-03-15T00:51:09,241] <inform-13> ERROR dev - WiFiman enabled but could not find certificate, skipping config

Looking at the keystores (default vs LE keystore after ace.jar import) I observe the LE keystore includes the intermediate in the hierarchy. I know ace.jar wont allow importing without the signer cert.

After I created a new JKS keystore with only the server certificate + key (PKCS12) I bounced Unifi Network and toggled on Wifiman and confirmed success.

I have reached out to Unifi Support, whom initially advised they do not support custom SSL certs and do not support CLI based changes on UDMP. I have advised them on my findings since this initial interaction and awaiting their response.

Describe the bug
When using the DNS challenge with an FQDN of the form 'hostname.subdomain.mydomain.com', the script attempts to update the zone 'subdomain.mydomain.com' in CloudFlare, which fails because the zone is 'mydomain.com'

Expected behavior
Script updates the mydomain.com zone. CloudFlare does not allow the creation of a sub-zone.

Logs

# ./udm-le.sh initial
Attempting initial certificate generation
# 2021/08/22 17:47:30 [INFO] [unifi.home.(mydomain).com] acme: Obtaining bundled SAN certificate
2021/08/22 17:47:31 [INFO] [unifi.home.(mydomain).com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/24181593740
2021/08/22 17:47:31 [INFO] [unifi.home.(mydomain).com] acme: Could not find solver for: tls-alpn-01
2021/08/22 17:47:31 [INFO] [unifi.home.(mydomain).com] acme: Could not find solver for: http-01
2021/08/22 17:47:31 [INFO] [unifi.home.(mydomain).com] acme: use dns-01 solver
2021/08/22 17:47:31 [INFO] [unifi.home.(mydomain).com] acme: Preparing to solve DNS-01
2021/08/22 17:47:31 [INFO] [unifi.home.(mydomain).com] acme: Cleaning DNS-01 challenge
2021/08/22 17:47:31 [WARN] [unifi.home.(mydomain).com] acme: cleaning up failed: cloudflare: failed to find zone home.(mydomain).com.: Zone could not be found
2021/08/22 17:47:32 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/24181593740
2021/08/22 17:47:32 Could not obtain certificates:
        error: one or more domains had a problem:
[unifi.home.(mydomain).com] [unifi.home.(mydomain).com] acme: error presenting token: cloudflare: failed to find zone home.(mydomain).com.: Zone could not be found

Hi!

I hope someone can help me. I just bought a domain in Google Domains, and I'm trying to set up a certificate for my UDMP. The thing is I don't know how to configure the DNS provider option. I don't even know if this is possible or maybe I need something else...

Thanks in advance for your help!

There is a typo in the aws mount instruction, would it matter that I create a separate pull request on that, since its not conflicting code to my other?

Is your feature request related to a problem? Please describe.
I'm using CloudFlare DDNS, I end up having issues with actually using (accessing) this add-on. Would also be nice to find a way to use CloudFlare Access for authentication purposes.

Describe the solution you'd like
Please provide instructions on how to configure our sub-domain or wildcard within Unifi, to access the admin UI via the Domain we issued a certificate for.

Describe alternatives you've considered
I'm not sure what keeps going wrong, as DuckDNS (running off an RPi worked just fine, but that's missing IP masking.

Why does udm-le.sh use the hectormolinero image instead of https://hub.docker.com/r/goacme/lego/?

Describe the bug
When trying to run udm-le.sh initial on UDM Base, I get the following error.

root@UDM:/data/udm-le# ./udm-le.sh initial
install_lego(): Attempting lego installation
install_lego(): Downloading lego v4.10.2 from https://github.com/go-acme/lego/releases/download/v4.10.2/lego_v4.10.2_linux_arm64.tar.gz
install_lego(): Extracting lego binary from release and placing at /data/udm-le/lego
lego
install_lego(): Verifying integrity of lego binary
install_lego(): Verified lego v4.10.2:ce38abfaccc8c0558e7668c7cb12b3980a6c61e5
create_services(): Creating udm-le systemd service and timer
cp: cannot stat '/data/udm-le/resources/systemd/udm-le.service': No such file or directory

To Reproduce
Steps to reproduce the behavior:

1. Copy the latest udm-le files to /data/udm-le, configure udm-le.env, and run chmod +x on udm-le.sh
2. Run udm-le.sh initial
3. See error

Expected behavior
The script runs as expected, creating jobs and configuring my certificate

Version Information (please complete the following information):

• UniFi OS: v2.5.16
• Hardware Type: UDMB

Additional context

• I am upgrading from the previous udm-le releases that supported UniFi OS 1.x.