Non-default X.509 certs on EdgeOS?
I realize that Ubiquiti may be in the same “too ashamed to talk publicly about it” bucket as Mikrotik, so feel free to email me off list instead of replying publicly - is anyone else here running non-default x.509 certs for the web GUI on the Ubiquiti EdgeRouter? [*] I thought I had a fairly bulletproof recipe, sticky across more than a year of reboots, but on a recent power outage somehow things reverted to the factory self-signed cert. ER4 still on EdgeOS 1.x. Any thoughts from people who are also doing this would be appreciated. -r [*] - ER4 is on a residential connection, housekeeping raspi keeps DNS updated with current external IP address. If we use ping to monitor in Nagios, in the event of a power event when someone else gets our old address we get a false service-ok alert, so instead we allow only the monitoring system to touch the otherwise-unused web gui on the external interface, and look for the CN to be what we’re expecting. Works great, so long as the cert I put there stays... Sent from my iPad
Are you using ‘service gui {ca,dh,cert}-file’ options to replace the cert? Put the carts in: /config/ssl/ And they’ll persist across upgrades and reboots. Don’t just replace the lighttpd cert files anymore - has been obsolete way of doing it for a looong time. Also, 2.0.8 has been stable for at least a year now, 2.0.9 just got released with a bunch of updates that include Ethernet driver and net filter tables optimizations (ie: big performance boosts). Probably shouldn’t be running 1.x anymore really, especially on the later generation hardware. Sent from my iPad
On Dec 31, 2020, at 6:14 AM, Rob Seastrom <rs-lists@seastrom.com> wrote:
I realize that Ubiquiti may be in the same “too ashamed to talk publicly about it” bucket as Mikrotik, so feel free to email me off list instead of replying publicly - is anyone else here running non-default x.509 certs for the web GUI on the Ubiquiti EdgeRouter? [*]
I thought I had a fairly bulletproof recipe, sticky across more than a year of reboots, but on a recent power outage somehow things reverted to the factory self-signed cert. ER4 still on EdgeOS 1.x.
Any thoughts from people who are also doing this would be appreciated.
-r
[*] - ER4 is on a residential connection, housekeeping raspi keeps DNS updated with current external IP address. If we use ping to monitor in Nagios, in the event of a power event when someone else gets our old address we get a false service-ok alert, so instead we allow only the monitoring system to touch the otherwise-unused web gui on the external interface, and look for the CN to be what we’re expecting. Works great, so long as the cert I put there stays...
Sent from my iPad
On Dec 31, 2020, at 9:08 AM, Brielle <bruns@2mbit.com> wrote:
Don’t just replace the lighttpd cert files anymore - has been obsolete way of doing it for a looong time.
Guilty. Thanks for the clue; I had literally no idea that things had evolved (and honestly, hadn't done much to my config other than opening ports and changing tunnel endpoints since I got one of the very first er-lites back in 2013). I've been told to move to 2.x for a while. Guess I probably ought to do that. -r
participants (2)
-
Brielle
-
Rob Seastrom