Skip to content

Instantly share code, notes, and snippets.

@plembo

plembo/upssler4cli.md

Last active March 3, 2024 00:38
Show Gist options
  • Save plembo/c0bc82924822fc156ec4749548b9659b to your computer and use it in GitHub Desktop.
Save plembo/c0bc82924822fc156ec4749548b9659b to your computer and use it in GitHub Desktop.
Download ZIP
Update SSL certs on Ubiquiti EdgeRouter 4 using the CLI
Raw
upssler4cli.md

Manually updating the SSL certificates on the Ubiquiti EdgeRouter 4 using the CLI

Always know how to do... whatever using the cli.

  1. Obtain the server key, server cert and intermediate cert in PEM format. I use letsencrypt.org, and so name my intermediate cert "letsencrypt-chain.crt". The system doesn't care what you use as a filename extension. I usually use ".key" for keys, and ".crt" for certs. In the case of the combo cert I used ".pem" just because...

  2. Combine the server key and cert into a single file (in that order):

$ cat server-key.pem server-cert.pem > _.example.com-combo.pem

You can name things anything you want so long as you make sure the lighttpd uses those names (see more on that below). I always name my keys and certs for the server they're being used for: the "_." is what I use for wildcard certs.

  1. Upload the combo key and cert, along with the intermediate cert, to the router (I use either scp or sftp).

  2. If this is the first time you're installing ssl certs to the router, log into the router and make yourself root (sudo su -) to create the directories under /config (where they won't be overwritten by the next firmware update) that will hold the certs:

$ sudo su -
# mkdir -p /config/ssl/certs
# mkdir -p /config/ssl/private
# chown -R root:root /config/ssl
# chmod go-rx /config/ssl/private

(be sure to remove read and execute permissions for "group" and "other" from anything you copy to /config/ssl/private)

  1. Login to the router over ssh and copy the intermediate cert to /config/ssl/certs as admin, for example:
$ sudo cp letsencrypt-chain.pem /config/ssl/certs
  1. Then copy the combo key and cert to /config/ssl/private as admin:
$ sudo cp _.example.com-combo.pem /config/ssl/private

Be sure that only root can read this (because it contains your server key):

$ sudo chmod 600 /config/ssl/private/_.example.com-combo.pem
  1. If this is the first time you're installing SSL certs on the router, reconfigure the 10-ssl.conf file so it points to where your certs are:
$ configure
# set service gui cert-file /config/ssl/private/_.example.com-combo.pem
# set service gui ca-file /config/ssl/certs/letsencrypt-chain.crt
# commit
# save
$

From this point on you shouldn't need to touch this config, unless you do something like change the name of the certs involved.

  1. Restart lighttpd:
$ sudo systemctl stop lighttpd
$ sudo systemctl start lighttpd
@plembo
Copy link
Author

plembo commented Feb 14, 2021

I've updated this procedure in light of recent experience after a firmware update. I think it's much better now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment