-
-
Save sprocktech/aeff3e367c77b2b01ac8c0ea30491c9d to your computer and use it in GitHub Desktop.
| # Some UniFi devices may not have the current ISRG root cert that LE uses | |
| # Some devices also have an older version of OpenSSL | |
| # These older versions will not validate a cert if the expired DST root cert is part of the chain | |
| # USG | |
| # This has an older OpenSSL version | |
| # The current ISRG root cert is not included in the latest firmware | |
| sudo -i | |
| sed -i 's|^mozilla\/DST_Root_CA_X3\.crt|!mozilla/DST_Root_CA_X3.crt|' /etc/ca-certificates.conf | |
| curl -sk https://letsencrypt.org/certs/isrgrootx1.pem -o /usr/local/share/ca-certificates/ISRG_Root_X1.crt | |
| update-ca-certificates --fresh | |
| # UDM | |
| # This is needed at the hardware OS level because of the older OpenSSL version there | |
| # The ISRG root cert should already be included | |
| rm /etc/ssl/certs/DST_Root_CA_X3.pem | |
| cat /etc/ssl/certs/*.pem > /etc/ssl/certs/ca-certificates.crt | |
| # If for some crazy reason you want to put the expired cert back on the UDM | |
| ln -s ../../../usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt /etc/ssl/certs/DST_Root_CA_X3.pem | |
| cat /etc/ssl/certs/*.pem > /etc/ssl/certs/ca-certificates.crt | |
| # UAP | |
| # Some older UAPs have an older version of OpenSSL | |
| # The ISRG root cert should be included in the latest firmware | |
| mv /etc/ssl/certs/DST_Root_CA_X3.crt /etc/ssl/certs/DST_Root_CA_X3.old |
Thanks, you saved my life ;)
Ha! Glad it helped. 👍
should ISRG_Root_X1.crt appear in /etc/ca-certificates.conf after running the commands on a USG ?
I get an ok from the below but cannot see the cert in the file - DST_Root_CA_X3.crt is prefixed with a ! as advised though openssl s_client -showcerts -connect ips1.unifi-ai.com:443
No, but you'll see it if you run this command:
ls -la /etc/ssl/certs/ISRG*
You should also see it with this command:
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep 'ISRG Root'
should ISRG_Root_X1.crt appear in /etc/ca-certificates.conf after running the commands on a USG ?
I get an ok from the below but cannot see the cert in the file - DST_Root_CA_X3.crt is prefixed with a ! as advised though openssl s_client -showcerts -connect ips1.unifi-ai.com:443No, but you'll see it if you run this command:
ls -la /etc/ssl/certs/ISRG*You should also see it with this command:
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep 'ISRG Root'
thanks thats what i needed
Thanks, you saved my life ;)