Last active
October 11, 2021 13:50
-
-
Save sprocktech/aeff3e367c77b2b01ac8c0ea30491c9d to your computer and use it in GitHub Desktop.
Ubiquiti UniFi - Fix for the Let's Encrypt DST Root CA X3 Expiration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Some UniFi devices may not have the current ISRG root cert that LE uses | |
# Some devices also have an older version of OpenSSL | |
# These older versions will not validate a cert if the expired DST root cert is part of the chain | |
# USG | |
# This has an older OpenSSL version | |
# The current ISRG root cert is not included in the latest firmware | |
sudo -i | |
sed -i 's|^mozilla\/DST_Root_CA_X3\.crt|!mozilla/DST_Root_CA_X3.crt|' /etc/ca-certificates.conf | |
curl -sk https://letsencrypt.org/certs/isrgrootx1.pem -o /usr/local/share/ca-certificates/ISRG_Root_X1.crt | |
update-ca-certificates --fresh | |
# UDM | |
# This is needed at the hardware OS level because of the older OpenSSL version there | |
# The ISRG root cert should already be included | |
rm /etc/ssl/certs/DST_Root_CA_X3.pem | |
cat /etc/ssl/certs/*.pem > /etc/ssl/certs/ca-certificates.crt | |
# If for some crazy reason you want to put the expired cert back on the UDM | |
ln -s ../../../usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt /etc/ssl/certs/DST_Root_CA_X3.pem | |
cat /etc/ssl/certs/*.pem > /etc/ssl/certs/ca-certificates.crt | |
# UAP | |
# Some older UAPs have an older version of OpenSSL | |
# The ISRG root cert should be included in the latest firmware | |
mv /etc/ssl/certs/DST_Root_CA_X3.crt /etc/ssl/certs/DST_Root_CA_X3.old |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
thanks thats what i needed