-
-
Save sprocktech/aeff3e367c77b2b01ac8c0ea30491c9d to your computer and use it in GitHub Desktop.
# Some UniFi devices may not have the current ISRG root cert that LE uses | |
# Some devices also have an older version of OpenSSL | |
# These older versions will not validate a cert if the expired DST root cert is part of the chain | |
# USG | |
# This has an older OpenSSL version | |
# The current ISRG root cert is not included in the latest firmware | |
sudo -i | |
sed -i 's|^mozilla\/DST_Root_CA_X3\.crt|!mozilla/DST_Root_CA_X3.crt|' /etc/ca-certificates.conf | |
curl -sk https://letsencrypt.org/certs/isrgrootx1.pem -o /usr/local/share/ca-certificates/ISRG_Root_X1.crt | |
update-ca-certificates --fresh | |
# UDM | |
# This is needed at the hardware OS level because of the older OpenSSL version there | |
# The ISRG root cert should already be included | |
rm /etc/ssl/certs/DST_Root_CA_X3.pem | |
cat /etc/ssl/certs/*.pem > /etc/ssl/certs/ca-certificates.crt | |
# If for some crazy reason you want to put the expired cert back on the UDM | |
ln -s ../../../usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt /etc/ssl/certs/DST_Root_CA_X3.pem | |
cat /etc/ssl/certs/*.pem > /etc/ssl/certs/ca-certificates.crt | |
# UAP | |
# Some older UAPs have an older version of OpenSSL | |
# The ISRG root cert should be included in the latest firmware | |
mv /etc/ssl/certs/DST_Root_CA_X3.crt /etc/ssl/certs/DST_Root_CA_X3.old |
Thanks, you saved my life ;)
Ha! Glad it helped. 👍
should ISRG_Root_X1.crt appear in /etc/ca-certificates.conf after running the commands on a USG ?
I get an ok from the below but cannot see the cert in the file - DST_Root_CA_X3.crt is prefixed with a ! as advised though openssl s_client -showcerts -connect ips1.unifi-ai.com:443
No, but you'll see it if you run this command:
ls -la /etc/ssl/certs/ISRG*
You should also see it with this command:
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep 'ISRG Root'
should ISRG_Root_X1.crt appear in /etc/ca-certificates.conf after running the commands on a USG ?
I get an ok from the below but cannot see the cert in the file - DST_Root_CA_X3.crt is prefixed with a ! as advised though openssl s_client -showcerts -connect ips1.unifi-ai.com:443No, but you'll see it if you run this command:
ls -la /etc/ssl/certs/ISRG*
You should also see it with this command:
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep 'ISRG Root'
thanks thats what i needed
Thanks, you saved my life ;)