I have achieved PARTIAL SUCCESS in installing Godaddy SSL Certificate in UniFi Cloud Key Gen 2 Plus

Turritopsis Dohrnii Teo En Ming tdtemccnp at gmail.com
Tue Oct 25 14:00:32 UTC 2022 

Subject: I have achieved PARTIAL SUCCESS in installing Godaddy SSL
Certificate in UniFi Cloud Key Gen 2 Plus

Good day from Singapore,

I am posting here because UniFi Cloud Key Gen 2 Plus is powered by Debian
GNU/Linux 9.

I have found many reference guides on installing SSL certificate in UniFi
Cloud Key. Please refer to the following list.

[1] How to install a SSL Certificate on Unifi Cloud Key

Link:
https://community.ui.com/questions/How-to-install-a-SSL-Certificate-on-Unifi-Cloud-Key/944dbbd6-cbf6-4112-bff5-6b992fcbf2c4#:~:text=Rename%20your%20purchased%20SSL%20certificate,Upload%20to%20Cloud%20Key%E2%80%9D%20folder.&text=Before%20we%20restart%20our%20Cloud,your%20SSL%20certificate%20is%20installed

[2] How to install an SSL Certificate on Unifi Cloud Key?

Link:
https://www.ssldragon.com/blog/install-ssl-certificate-on-unifi-cloud-key/

[3] Protect the UniFi Cloud Key with a custom SSL certificate

Link:
https://clemens.ms/protect-the-unifi-cloud-key-with-a-custom-ssl-certificate/

[4] Deploy dehydrated generated certificate to Unifi controller

Link: https://gist.github.com/jrotello/18ab3e1982d46b04a269dfbc63aa097f

[5] How to quickly setup SSL certificate on Unifi Cloud Key

Link:
https://community.ui.com/questions/How-to-quickly-setup-SSL-certificate-on-Unifi-Cloud-Key/d991c17f-d7e0-4778-be83-f2a91c47bc63

[6] Unable to import the certificate into keystore

Link:
https://community.ui.com/questions/Unable-to-import-the-certificate-into-keystore/c9a42223-1d36-40bf-954a-059508d52263

However, only 2 reference guides worked for me. They are:

[A] How to quickly setup SSL certificate on Unifi Cloud Key (Java method)

Link:
https://community.ui.com/questions/How-to-quickly-setup-SSL-certificate-on-Unifi-Cloud-Key/d991c17f-d7e0-4778-be83-f2a91c47bc63

[B] Unable to import the certificate into keystore

Link:
https://community.ui.com/questions/Unable-to-import-the-certificate-into-keystore/c9a42223-1d36-40bf-954a-059508d52263

I shall detail my attempts at following the instructions below. It is not
possible to install SSL certificate in the UniFi Cloud Key using Web GUI at
all. The only way to do it is through the Command Line Interface (CLI).
There is no other way out.

1st Attempt FAILED - following the guide at
https://www.ssldragon.com/blog/install-ssl-certificate-on-unifi-cloud-key/
======================================================================================================================

openssl genrsa -out /etc/ssl/private/cloudkey.key 2048

openssl req -new -batch \
-subj "/C=SG/ST=Singapore/L=Singapore
/O=Teo-En-Ming-Corporation/OU=IT/CN=cloudkey.teo-en-ming-corp.com
/emailAddress=ceo at teo-en-ming-corp.com" \
-key /etc/ssl/private/cloudkey.key \
-out /etc/ssl/private/cloudkey.csr

Upload the primary SSL certificate cloudkey.crt to /root

cp /root/cloudkey.crt /etc/ssl/private/

openssl pkcs12 -export -in /etc/ssl/private/cloudkey.crt -inkey
/etc/ssl/private/cloudkey.key -out /etc/ssl/private/cloudkey.p12 -name
unifi -password pass:temppass

keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass
aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore
-srckeystore /etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12
-srcstorepass temppass -alias unifi

Importing keystore /etc/ssl/private/cloudkey.p12 to
/usr/lib/unifi/data/keystore...
Existing entry alias unifi exists, overwrite? [no]:  yes

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to
PKCS12 which is an industry standard format using "keytool -importkeystore
-srckeystore /usr/lib/unifi/data/keystore -destkeystore
/usr/lib/unifi/data/keystore -deststoretype pkcs12".

keytool -importkeystore -deststorepass temppass -destkeypass temppass
-destkeystore /usr/lib/unifi/data/keystore -srckeystore
/etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12 -srcstorepass temppass
-alias unifi
Importing keystore /etc/ssl/private/cloudkey.p12 to
/usr/lib/unifi/data/keystore...
keytool error: java.io.IOException: Keystore was tampered with, or password
was incorrect

mkdir /root/backup

mv cloudkey.csr /root/backup/

mv cloudkey.p12 /root/backup/

tar -cvf cert.tar *

chown root:ssl-cert /etc/ssl/private/*

chmod 640 /etc/ssl/private/*

apt-get install nano

cp /etc/default/unifi /root/backup/

nano /etc/default/unifi

UNIFI_SSL_KEYSTORE=/etc/ssl/private/unifi.keystore.jks

cd /etc/ssl/private

cp cloudkey.crt /usr/lib/unifi/

cd /root

cp gd_bundle-g2-g1.crt /usr/lib/unifi/

cd /usr/lib/unifi

root at Teo-En-Ming-Corporation:/usr/lib/unifi# java -jar lib/ace.jar
import_cert cloudkey.crt gd_bundle-g2-g1.crt
Unable to import the certificate into keystore
root at Teo-En-Ming-Corporation:/usr/lib/unifi# java -jar lib/ace.jar
import_cert cloudkey.crt
Unable to import the certificate into keystore

cd /root/backup/

cp cloudkey.p12 /usr/lib/unifi

cd /usr/lib/unifi

root at Teo-En-Ming-Corporation:/usr/lib/unifi# java -jar lib/ace.jar
import_cert cloudkey.p12
Unable to import the certificate into keystore

cp /usr/lib/unifi/data/keystore /root/backup/

rm /usr/lib/unifi/data/keystore

cd /usr/lib/unifi


2nd Attempt FAILED - following the guide at
https://gist.github.com/jrotello/18ab3e1982d46b04a269dfbc63aa097f
==============================================================================================================

cd /root

cp cloudkey.pem /etc/ssl/private/

openssl pkcs12 \
-export \
-inkey /etc/ssl/private/cloudkey.key \
-in /etc/ssl/private/cloudkey.crt \
-out /etc/ssl/private/cloudkey.p12 \
-name unifi -password pass:temppass

keytool \
-importkeystore \
-deststorepass aircontrolenterprise \
-destkeypass aircontrolenterprise \
-destkeystore /etc/ssl/private/unifi.keystore.jks \
-srckeystore /etc/ssl/private/cloudkey.p12 \
-srcstoretype PKCS12 \
-srcstorepass temppass \
-alias unifi

Importing keystore /etc/ssl/private/cloudkey.p12 to
/etc/ssl/private/unifi.keystore.jks...

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to
PKCS12 which is an industry standard format using "keytool -importkeystore
-srckeystore /etc/ssl/private/unifi.keystore.jks -destkeystore
/etc/ssl/private/unifi.keystore.jks -deststoretype pkcs12".

cd /etc/ssl/private/

cp cloudkey.pem cloudkey.crt

tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks

cp /root/backup/unifi /etc/default/unifi

UNIFI_SSL_KEYSTORE=/etc/ssl/private/unifi.keystore.jks

root at Teo-En-Ming-Corporation:/srv/unifi/logs# grep -i cert server.log
[2022-10-25T13:29:06,654] <launcher> ERROR system - Unable to parse cert
gd_bundle-g2-g1.crt
[2022-10-25T13:29:06,683] <launcher> ERROR system - Unable to parse cert
cloudkey.crt
[2022-10-25T13:29:06,687] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T13:29:35,267] <launcher> ERROR system - Unable to parse cert
cloudkey.crt
[2022-10-25T13:29:35,302] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T13:31:42,830] <launcher> ERROR system - Unable to parse cert
cloudkey.p12
java.security.cert.CertificateParsingException: signed fields invalid
        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1842)
~[?:1.8.0_332]
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)
~[?:1.8.0_332]
        at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102)
~[?:1.8.0_332]
        at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
~[?:1.8.0_332]
[2022-10-25T13:31:42,867] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T13:34:58,933] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T14:12:57,061] <launcher> INFO  system - Generating
Certificate[UniFi]... please wait...
[2022-10-25T14:12:58,665] <launcher> INFO  system - Certificate[UniFi]
generated!


3rd Attempt - JAVA method - following the guide at
https://community.ui.com/questions/How-to-quickly-setup-SSL-certificate-on-Unifi-Cloud-Key/d991c17f-d7e0-4778-be83-f2a91c47bc63
===================================================================================================================================================================================

java -jar lib/ace.jar new_cert cloudkey.teo-en-ming-corp.com
Teo-En-Ming-Corporation Singapore Singapore SG

java -jar lib/ace.jar import_cert <signed_cert> <intermediate_root_cert1>
<intermediate_root_cert2> <intermediate_root_cert3>

root at Teo-En-Ming-Corporation:/usr/lib/unifi# java -jar lib/ace.jar
import_cert 94d3a5414bcb5742.crt 94d3a5414bcb5742.pem gd_bundle-g2-g1.crt
Unable to import the certificate into keystore

root at Teo-En-Ming-Corporation:/usr/lib/unifi/logs# grep -i cert server.log
[2022-10-25T13:29:06,654] <launcher> ERROR system - Unable to parse cert
gd_bundle-g2-g1.crt
[2022-10-25T13:29:06,683] <launcher> ERROR system - Unable to parse cert
cloudkey.crt
[2022-10-25T13:29:06,687] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T13:29:35,267] <launcher> ERROR system - Unable to parse cert
cloudkey.crt
[2022-10-25T13:29:35,302] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T13:31:42,830] <launcher> ERROR system - Unable to parse cert
cloudkey.p12
java.security.cert.CertificateParsingException: signed fields invalid
        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1842)
~[?:1.8.0_332]
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)
~[?:1.8.0_332]
        at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102)
~[?:1.8.0_332]
        at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
~[?:1.8.0_332]
[2022-10-25T13:31:42,867] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T13:34:58,933] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T14:12:57,061] <launcher> INFO  system - Generating
Certificate[UniFi]... please wait...
[2022-10-25T14:12:58,665] <launcher> INFO  system - Certificate[UniFi]
generated!
[2022-10-25T15:09:17,326] <launcher> INFO  system - Generating Certificate[
cloudkey.teo-en-ming-corp.com]... please wait...
[2022-10-25T15:09:18,596] <launcher> INFO  system - Certificate[
cloudkey.teo-en-ming-corp.com] generated!
[2022-10-25T15:17:54,306] <launcher> ERROR system - Unable to parse cert
94d3a5414bcb5742.pem
[2022-10-25T15:17:54,332] <launcher> ERROR system - Unable to parse cert
gd_bundle-g2-g1.crt
[2022-10-25T15:17:54,336] <launcher> ERROR system - Unable to parse cert
94d3a5414bcb5742.crt
[2022-10-25T15:17:54,339] <launcher> ERROR system - Unable to import the
signed certficate
root at Teo-En-Ming-Corporation:/usr/lib/unifi/logs#

root at Teo-En-Ming-Corporation:/usr/lib/unifi#  java -jar lib/ace.jar
import_cert 94d3a5414bcb5742.crt
Unable to import the certificate into keystore
root at Teo-En-Ming-Corporation:/usr/lib/unifi# java -jar lib/ace.jar
import_cert 94d3a5414bcb5742.pem
Unable to import the certificate into keystore
root at Teo-En-Ming-Corporation:/usr/lib/unifi# java -jar lib/ace.jar
import_cert gd_bundle-g2-g1.crt
Unable to import the certificate into keystore

root at Teo-En-Ming-Corporation:/usr/lib/unifi/logs# grep -i cert server.log
[2022-10-25T13:29:06,654] <launcher> ERROR system - Unable to parse cert
gd_bundle-g2-g1.crt
[2022-10-25T13:29:06,683] <launcher> ERROR system - Unable to parse cert
cloudkey.crt
[2022-10-25T13:29:06,687] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T13:29:35,267] <launcher> ERROR system - Unable to parse cert
cloudkey.crt
[2022-10-25T13:29:35,302] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T13:31:42,830] <launcher> ERROR system - Unable to parse cert
cloudkey.p12
java.security.cert.CertificateParsingException: signed fields invalid
        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1842)
~[?:1.8.0_332]
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)
~[?:1.8.0_332]
        at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102)
~[?:1.8.0_332]
        at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
~[?:1.8.0_332]
[2022-10-25T13:31:42,867] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T13:34:58,933] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T14:12:57,061] <launcher> INFO  system - Generating
Certificate[UniFi]... please wait...
[2022-10-25T14:12:58,665] <launcher> INFO  system - Certificate[UniFi]
generated!
[2022-10-25T15:09:17,326] <launcher> INFO  system - Generating Certificate[
cloudkey.teo-en-ming-corp.com]... please wait...
[2022-10-25T15:09:18,596] <launcher> INFO  system - Certificate[
cloudkey.teo-en-ming-corp.com] generated!
[2022-10-25T15:17:54,306] <launcher> ERROR system - Unable to parse cert
94d3a5414bcb5742.pem
[2022-10-25T15:17:54,332] <launcher> ERROR system - Unable to parse cert
gd_bundle-g2-g1.crt
[2022-10-25T15:17:54,336] <launcher> ERROR system - Unable to parse cert
94d3a5414bcb5742.crt
[2022-10-25T15:17:54,339] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T15:20:15,236] <launcher> ERROR system - Unable to parse cert
94d3a5414bcb5742.crt
[2022-10-25T15:20:15,264] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T15:20:45,584] <launcher> ERROR system - Unable to parse cert
94d3a5414bcb5742.pem
[2022-10-25T15:20:45,612] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T15:21:08,616] <launcher> ERROR system - Unable to parse cert
gd_bundle-g2-g1.crt
[2022-10-25T15:21:08,649] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T15:24:38,437] <launcher> ERROR system - Unable to parse cert
94d3a5414bcb5742.crt
[2022-10-25T15:24:38,463] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T15:25:33,473] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T15:25:54,484] <launcher> ERROR system - Unable to import the
signed certficate
[2022-10-25T15:26:15,505] <launcher> ERROR system - Unable to import the
signed certficate

4th and FINAL ATTEMPT - SUCCESS (using Java method)
=====================================================

root at Teo-En-Ming-Corporation:/usr/lib/unifi# java -jar lib/ace.jar
import_cert 94d3a5414bcb5742.crt gd_bundle-g2-g1.crt
parse gd_bundle-g2-g1.crt (PEM, 3 certs):
    found [Go Daddy Secure Certificate Authority - G2]
    found [Go Daddy Root Certificate Authority - G2]
    found [OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy
Group, Inc.", C=US]
parse 94d3a5414bcb5742.crt (PEM, 1 certs): cloudkey.teo-en-ming-corp.com
Importing signed cert[cloudkey.teo-en-ming-corp.com]
... issued by [Go Daddy Secure Certificate Authority - G2]
... issued by [Go Daddy Root Certificate Authority - G2]
... issued by [OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy
Group, Inc.", C=US]
Certificates successfuly imported. Please restart the UniFi Network
application.

# service unifi start

Please note that our UniFi Cloud Key Gen 2 Plus is a standalone device. It
is not an UniFi Controller at all.

When I say I have gotten partial success, it is because the Godaddy SSL
certificate was installed for HTTPS port 8443. As you all know, 8443 is the
standard port for the UniFi Controller.

Godaddy SSL certificate was NOT installed for HTTPS port 443 at all. In
other words, the Godaddy SSL certificate was NOT installed for
https://cloudkey.teo-en-ming-corp.com

The Godaddy SSL certificate was installed for https://192.168.90.2:8443
instead. We can view the SSL certificate details below.

SSL Certificate details
=======================

Issued To

Common Name (CN)               cloudkey.teo-en-ming-corp.com

Issued By

Common Name (CN) Go Daddy Secure Certificate Authority - G2
Organization (O) GoDaddy.com, Inc.
Organizational Unit (OU) http://certs.godaddy.com/repository

Validity Period

Issued On Tuesday, October 25, 2022 at 3:12:39 PM
Expires On Wednesday, October 25, 2023 at 3:12:39 PM

As you can see from the above certificate details, the Godaddy SSL
certificate was correctly installed for https://192.168.90.2:8443

However, when we try to access https://cloudkey.teo-en-ming-corp.com:8443,
it says that SSL Protocol is not supported. Something like that. I can't
remember the exact error message.

I guess this happens because there is no UniFi Controller running at HTTPS
port 8443. Only the standalone UniFi Cloud Key UniFi OS is running at HTTPS
port 443.

Also, I guess that the correct/default location for the Java Keystore is
/usr/lib/unifi/data/keystore

It should not be located at /etc/ssl/private/unifi.keystore.jks

Please advise.

Thank you very much.

Regards,

Mr. Turritopsis Dohrnii Teo En Ming
Targeted Individual in Singapore
Blogs:
https://tdtemcerts.blogspot.com
https://tdtemcerts.wordpress.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20221025/75cb9fc3/attachment-0001.htm>

More information about the openssl-users mailing list