Skip to content

Certificate locations on UDM(P)

Jump to bottom
Alexander Wolf edited this page Oct 13, 2024 · 7 revisions

UDM(P) Certificate Locations and black magic

Seems like UI has the intention to provide the user the largest potential to adjust systems to their needs. I trust they are working on a thorough documentation when done with their solar panels or whatever comes next, on a best effort. In other words, one could also get the impression they want to make it as complicated as possible.

With the breaking changes in V3.2.7, it became even more convoluted.

Console ("HTTPS Web Interface" aka UniFi OS)

Where to find and put the cert and key files - files are here:

# to secure the core web services
UBIOS_CERT_PATH='/data/unifi-os/unifi-core/config'

On the other hand, they're not... seem they get overwritten from time to time with self-signed certificates ("unifi.local").

A YAML file will store the paths to cert and key for the web server.

unifi_core_config_path="/data/unifi-core/config/overrides/local.yaml"

For example, like so:

# File created by ubios-cert (certificates for Unifi Dream Machines).
ssl:
  crt: '/data/ubios-cert/certificates/unifi-core.crt'
  key: '/data/ubios-cert/certificates/unifi-core.key'

At certain "moments" (not clear to me, when), some hidden service will update the file `/data/unifi-core/config/http/local-certs.conf``, which will then look like this:

ssl_certificate     /data/ubios-cert/certificates/unifi-core.crt;
ssl_certificate_key /data/ubios-cert/certificates/unifi-core.key;

Captive Portal (Guest Hotspot and WiFi-Manager)

Just for fun, UI does use a Java Keystore for that. So well, let's convert the standard certificate and get it imported into that.

# these two items are required for the captive portal only
CERT_IMPORT_CMD='java -jar /usr/lib/unifi/lib/ace.jar import_key_cert'
UNIFIOS_CERT_PATH='/data/unifi-core/config'

Copy the files, then restart

unifi-os restart

Some more hints on that specific keystore can be found here.

RADIUS server certificates

root@udm:~# ls $DATADIR/udapi-config/raddb/certs/
ca.key           ca.pem           index.txt.attr   server-key.pem   server.pem

Bonus: the Redirector

No idea what this is used for. Will be overwritten / recreated during boot.

~# ls -larth $DATADIR/system/ssl/private/redirector
total 24K    
drwxr-xr-x    3 root     root        4.0K Jan  1  2000 ..
-rw-r--r--    1 root     root        1.8K Jan 15 17:28 server.crt
-rw-------    1 root     root        1.6K Jan 15 17:29 server.key
drwxr-xr-x    2 root     root        4.0K Jan 15 17:29 .

Status: Firmware 1.12.37 on UDM Pro, tested January 2023

Let's Encrypt TLS / SSL certificates by DNS API for UniFi UbiOS

Clone this wiki locally