|
Size: 2502
Comment: copy install notes from vector
|
← Revision 5 as of 2024-06-28 16:40:41 ⇥
Size: 5993
Comment: wording tweak
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| I really just want to buy a cloud key because I think it'll be easier. -_- | I almost just want to buy a cloud key because I think it'll be easier. -_- |
| Line 3: | Line 3: |
| = DIY controller stuff = | <<TableOfContents>> |
| Line 5: | Line 5: |
| On any sort of OS: * https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-UniFi-Easy-Encrypt-/ccbc7530-dd61-40a7-82ec-22b17f027776 * https://get.glennr.nl/unifi/install/unifi-5.13.32.sh |
= Now hosted on kubernetes = |
| Line 9: | Line 7: |
| Some easy guides: * Easy-UBNT for supported OSes: https://community.ui.com/questions/Easy-UBNT-Install-Update-and-Secure-UBNT-Software/9ccb57b3-b9a7-4e42-9bae-2306efd8243f * Controller on an RPi, with Pi-hole: https://community.ui.com/questions/Step-By-Step-Tutorial-Guide-Raspberry-Pi-with-UniFi-Controller-and-Pi-hole-from-scratch-headless/e8a24143-bfb8-4a61-973d-0b55320101dc |
Yeah it used to be a docker container on illustrious, now I've deployed it on the [[servers/persica| persica cluster]] instead. In the process I upgraded from v7.4.162 to v8.2.93 using the excellent linuxserver.io containers. |
| Line 13: | Line 9: |
| I should really setup pihole one of these days, and then I can also use it for dnsmasq and local DNS that doesn't die when the internet goes down. Just get DNS off the USG, I already don't use it as it is. | It works well, and thanks to using MetalLB I can forward all the traffic to the node running the workload, will the dozen or so ports that it wants to use. |
| Line 15: | Line 11: |
| Via: https://hub.docker.com/r/linuxserver/unifi-network-application | |
| Line 16: | Line 13: |
| = Installation on vector = | = Deployment notes = |
| Line 18: | Line 15: |
| I used the Easy Update Script mentioned above to install the controller on [[servers/vector]], then import the old site config. | This new version now uses an external MongoDB instance, so you have to run that yourself. I just made it another pod in the `unifi` namespace. |
| Line 20: | Line 17: |
| * wget https://get.glennr.nl/unifi/install/unifi-6.2.17.sh * Grow partition with cfdisk, then FS with resize2fs * bash unifi-6.2.17.sh * Setup new empty site, create local admin account * Import site from old controller * Update DNS to point unifi to vector |
1. Dump a backup of the old config from the old instance, I was able to grab 60 days of history (it'd just hang if I asked for more). 2. Start the new controller and import that backup dump from the landing page. Give it 5-10min then it'll be up and running. 3. Unifi controller is now running on a new (MetalLB) IP address, so update the DNS entry for unifi.thighhighs.top to point to that, and wait about 5min for it to propagate. 4. All the APs and switches should now be talking to the new controller. |
| Line 27: | Line 22: |
| And that's about it! Remarkably easy. | |
| Line 28: | Line 24: |
| = A real signed SSL cert for the controller = | = TLS cert for unifi = |
| Line 30: | Line 26: |
| This SSL cert command doesn't frikken work, yet it should be exactly the perfect method. -_- | This is one thing we need to do again, by default the controller generates its own self-signed cert, and we want to use a real one. Because this is a Java app, it does everything itself and stores the key and cert in a Java keystore, so we have to deal with that pain in the arse. |
| Line 32: | Line 28: |
| `java -jar /usr/lib/unifi/lib/ace.jar import_key_cert STAR_thighhighs_top.key.stripped STAR_thighhighs_top.crt` | Faff with the keystore so you can jam in your publicly signed cert. This is a script that I found and adapted. |
| Line 34: | Line 30: |
| Instead I used this script, it's stashed in `/root/unifi-import-cert.sh` | The process goes something like this: 1. Convert your normal PEM-format cert into a PKCS12 container, I don't understand all this but it works. You do this outside the container, on your workstation or whatever. 2. Copy the resultant `.p12` file into the pod. It's not necessary, but we'll leave it on the persistent volume that the Unifi controller uses. 3. Using the magic Java tools, import the p12 cert into the keystore. 4. Restart the Unifi controller so it picks up the new cert. This has been adapted from a previous local docker setup, but it should work fine in k8s. == Convert the cert from PEM to p12 == This assumes you're keeping the cert in `/etc/ssl/` or similar, we'll put the p12 in there as well. |
| Line 36: | Line 43: |
| # Backup previous keystore cp /var/lib/unifi/keystore /var/lib/unifi/keystore.backup.$(date +%F_%R) |
#!/bin/bash |
| Line 39: | Line 45: |
| # Hacked together by Barney Desmond on 2022-11-03 # Updated again on 2024-06-29 # |
|
| Line 40: | Line 49: |
| openssl pkcs12 -export \ | # Ignore warnings # Turns out we need to enable legacy mode, because Unifi's keytool can't read # the new OpenSSL 3.0.2 encryption. # https://community.ui.com/questions/New-Openssl-v3-may-break-your-controller-network-application-keystore/2e4133d9-d6dd-4a22-acfe-e5d671ffaee4 openssl pkcs12 -export -legacy \ |
| Line 42: | Line 55: |
| -in /etc/ssl/STAR_thighhighs_top.crt \ -out /etc/ssl/STAR_thighhighs_top.p12 \ |
-in /etc/ssl/STAR_thighhighs_top.crt \ -out /etc/ssl/STAR_thighhighs_top.p12 \ |
| Line 46: | Line 59: |
| cat <<EOF Now go copy the p12 file into the Unifi controller container/PVC. Then we'll import the cert into the keystore, from inside the running container. EOF }}} == Copy the p12 cert into the k8s pod == I'm sure there's sensible ways to do this, I personally think it's just easiest to copypasta the thing in via base64. {{{ base64 STAR_thighhighs_top.p12 # get a shell into the container kubectl -n unifi exec deployment.apps/network -it -- /bin/bash # you'll be dropped in /usr/lib/unifi but your persistent volume is mapped to /config # `data` is a symlink to /config/data so we can cd to that cd /config/data/ # pump the cert into a file cat <<EOF | base64 -d > STAR_thighhighs_top.p12 ... paste the base64 encoded .p12 cert here ... EOF }}} Your cert is now sitting in the pod at `/config/data/STAR_thighhighs_top.p12` == Import the p12 cert into the Java keystore == Create this script inside the same directory, you only need to do this once as it'll stick around for future certificate renewals. You can pipe it into a file with the shell, or install an editor with `apt update ; apt install -y vim-tiny` {{{ #!/bin/bash # This is unifi-import-cert.sh # From https://util.wifi.gl/unifi-import-cert.sh which is now dead # Modified by Barney Desmond on 2021-04-20 to just use a normal static paid-for cert. # Author: Frank Gabriel, 01.01.2019 # Credits Kalle Lilja, @SprockTech and others # Script location: /etc/letsencrypt/renewal-hooks/post/unifi-import-cert.sh (important for auto renewal) # Tested with Debian 9 and UniFi 5.8.28, 5.9.22 and 5.9.32 - should work with any recent Unifi and Ubuntu/Debian releases # This is where the keystore lives inside the container UNIFI_DATADIR=/config/data # Backup previous keystore cp -av "${UNIFI_DATADIR}/keystore" "${UNIFI_DATADIR}/keystore.backup.$(date +%F_%R)" |
|
| Line 47: | Line 109: |
| # Ignore warnings | |
| Line 50: | Line 113: |
| -destkeystore /var/lib/unifi/keystore \ -srckeystore /etc/ssl/STAR_thighhighs_top.p12 \ |
-destkeystore "${UNIFI_DATADIR}/keystore" \ -srckeystore STAR_thighhighs_top.p12 \ |
| Line 56: | Line 119: |
| }}} | |
| Line 57: | Line 121: |
| # Restart UniFi controller systemctl restart unifi |
Now run the script to do the import: {{{ root@network-6d6b5b85f6-qp4k8:/config/data# ./unifi-import-cert.sh '/config/data/keystore' -> '/config/data/keystore.backup.2024-06-29_02:29' Importing keystore STAR_thighhighs_top.p12 to /config/data/keystore... Warning: Overwriting existing alias unifi in destination keystore |
| Line 60: | Line 127: |
Exit the shell from the pod, you're done. == Restart the pod == The cert is imported but not yet active. Restart the service to pick it up, deleting the pod is usually the easiest way. {{{ kubectl -n unifi delete pod -l app=unifi-network-application,tier=web }}} |
I almost just want to buy a cloud key because I think it'll be easier. -_-
Contents
Now hosted on kubernetes
Yeah it used to be a docker container on illustrious, now I've deployed it on the persica cluster instead. In the process I upgraded from v7.4.162 to v8.2.93 using the excellent linuxserver.io containers.
It works well, and thanks to using MetalLB I can forward all the traffic to the node running the workload, will the dozen or so ports that it wants to use.
Via: https://hub.docker.com/r/linuxserver/unifi-network-application
Deployment notes
This new version now uses an external MongoDB instance, so you have to run that yourself. I just made it another pod in the unifi namespace.
- Dump a backup of the old config from the old instance, I was able to grab 60 days of history (it'd just hang if I asked for more).
- Start the new controller and import that backup dump from the landing page. Give it 5-10min then it'll be up and running.
- Unifi controller is now running on a new (MetalLB) IP address, so update the DNS entry for unifi.thighhighs.top to point to that, and wait about 5min for it to propagate.
- All the APs and switches should now be talking to the new controller.
And that's about it! Remarkably easy.
TLS cert for unifi
This is one thing we need to do again, by default the controller generates its own self-signed cert, and we want to use a real one. Because this is a Java app, it does everything itself and stores the key and cert in a Java keystore, so we have to deal with that pain in the arse.
Faff with the keystore so you can jam in your publicly signed cert. This is a script that I found and adapted.
The process goes something like this:
- Convert your normal PEM-format cert into a PKCS12 container, I don't understand all this but it works. You do this outside the container, on your workstation or whatever.
Copy the resultant .p12 file into the pod. It's not necessary, but we'll leave it on the persistent volume that the Unifi controller uses.
- Using the magic Java tools, import the p12 cert into the keystore.
- Restart the Unifi controller so it picks up the new cert.
This has been adapted from a previous local docker setup, but it should work fine in k8s.
Convert the cert from PEM to p12
This assumes you're keeping the cert in /etc/ssl/ or similar, we'll put the p12 in there as well.
# Hacked together by Barney Desmond on 2022-11-03
# Updated again on 2024-06-29
#
# Convert cert to PKCS12 format
# Ignore warnings
# Turns out we need to enable legacy mode, because Unifi's keytool can't read
# the new OpenSSL 3.0.2 encryption.
# https://community.ui.com/questions/New-Openssl-v3-may-break-your-controller-network-application-keystore/2e4133d9-d6dd-4a22-acfe-e5d671ffaee4
openssl pkcs12 -export -legacy \
-inkey /etc/ssl/STAR_thighhighs_top.key \
-in /etc/ssl/STAR_thighhighs_top.crt \
-out /etc/ssl/STAR_thighhighs_top.p12 \
-name unifi -password pass:unifi
cat <<EOF
Now go copy the p12 file into the Unifi controller container/PVC. Then we'll
import the cert into the keystore, from inside the running container.
EOF
Copy the p12 cert into the k8s pod
I'm sure there's sensible ways to do this, I personally think it's just easiest to copypasta the thing in via base64.
base64 STAR_thighhighs_top.p12 # get a shell into the container kubectl -n unifi exec deployment.apps/network -it -- /bin/bash # you'll be dropped in /usr/lib/unifi but your persistent volume is mapped to /config # `data` is a symlink to /config/data so we can cd to that cd /config/data/ # pump the cert into a file cat <<EOF | base64 -d > STAR_thighhighs_top.p12 ... paste the base64 encoded .p12 cert here ... EOF
Your cert is now sitting in the pod at /config/data/STAR_thighhighs_top.p12
Import the p12 cert into the Java keystore
Create this script inside the same directory, you only need to do this once as it'll stick around for future certificate renewals. You can pipe it into a file with the shell, or install an editor with apt update ; apt install -y vim-tiny
# This is unifi-import-cert.sh
# From https://util.wifi.gl/unifi-import-cert.sh which is now dead
# Modified by Barney Desmond on 2021-04-20 to just use a normal static paid-for cert.
# Author: Frank Gabriel, 01.01.2019
# Credits Kalle Lilja, @SprockTech and others
# Script location: /etc/letsencrypt/renewal-hooks/post/unifi-import-cert.sh (important for auto renewal)
# Tested with Debian 9 and UniFi 5.8.28, 5.9.22 and 5.9.32 - should work with any recent Unifi and Ubuntu/Debian releases
# This is where the keystore lives inside the container
UNIFI_DATADIR=/config/data
# Backup previous keystore
cp -av "${UNIFI_DATADIR}/keystore" "${UNIFI_DATADIR}/keystore.backup.$(date +%F_%R)"
# Install certificate
# Ignore warnings
keytool -importkeystore \
-deststorepass aircontrolenterprise \
-destkeypass aircontrolenterprise \
-destkeystore "${UNIFI_DATADIR}/keystore" \
-srckeystore STAR_thighhighs_top.p12 \
-srcstoretype PKCS12 \
-srcstorepass unifi \
-alias unifi \
-nopromptNow run the script to do the import:
root@network-6d6b5b85f6-qp4k8:/config/data# ./unifi-import-cert.sh '/config/data/keystore' -> '/config/data/keystore.backup.2024-06-29_02:29' Importing keystore STAR_thighhighs_top.p12 to /config/data/keystore... Warning: Overwriting existing alias unifi in destination keystore
Exit the shell from the pod, you're done.
Restart the pod
The cert is imported but not yet active. Restart the service to pick it up, deleting the pod is usually the easiest way.
kubectl -n unifi delete pod -l app=unifi-network-application,tier=web