Reblog of Securing Ubiquiti UniFi Cloud Key with Let’s Encrypt SSL and automatic dns-01 challenge

The following was lifted from here:
https://www.naschenweng.info/2017/01/06/securing-ubiquiti-unifi-cloud-key-encrypt-automatic-dns-01-challenge/

I’m reposting it so i have easy access to it. This is not my work, nor did I have anything to do with it.

curl https://get.acme.sh | sh

Exit the terminal and re-open it again. We will also enable auto-upgrade for acme.sh (the –accountemail will be used for Let’s Encrypt email notifications when certs are renewed):

 
acme.sh --upgrade --auto-upgrade --accountemail "mynotifaction@email.com"

To automate the certificate installation, create the file /root/.acme.sh/cloudkey-renew-hook.sh – no adjustments are needed:

#!/bin/bash
# Renew-hook for ACME / Let's encrypt
echo "** Configuring new Let's Encrypt certs"
cd /etc/ssl/private
rm -f /etc/ssl/private/cert.tar /etc/ssl/private/unifi.keystore.jks /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/fullchain.pem

openssl pkcs12 -export -in /etc/ssl/private/cloudkey.crt -inkey /etc/ssl/private/cloudkey.key -out /etc/ssl/private/cloudkey.p12 -name unifi -password pass:aircontrolenterprise

keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -srckeystore /etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi

rm -f /etc/ssl/private/cloudkey.p12
tar -cvf cert.tar *
chown root:ssl-cert /etc/ssl/private/*
chmod 640 /etc/ssl/private/*
echo "** Testing Nginx and restarting"
/usr/sbin/nginx -t
/etc/init.d/nginx restart ; /etc/init.d/unifi restart
export CF_Key="YOUR-CLOUDFLARE-API-KEY"
export CF_Email="YOUR-CLOUDFLARE-EMAIL"
acme.sh --force --issue --dns dns_cf -d unifi.naschenweng.info --pre-hook "touch /etc/ssl/private/cert.tar; tar -zcvf /root/.acme.sh/CloudKeySSL_`date +%Y-%m-%d_%H.%M.%S`.tgz /etc/ssl/private/*" --fullchainpath /etc/ssl/private/cloudkey.crt --keypath /etc/ssl/private/cloudkey.key --reloadcmd "sh /root/.acme.sh/cloudkey-renew-hook.sh"

Since the Let’s Encrypt certificate needs to be renewed every 3 months, you need to configure the auto-renew via a cronjob through crontab -e and append the following to the end of the crontab:

# m h  dom mon dow
command 0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh/" >> /var/log/letsencrypt.log
Advertisements

Changing Username on Office 365 with ADSync AND MFA

I have a client that uses adsync to sync their local active directory with their office365 azure directory. I also have multi factor authentication, via the IOS Microsoft Authenticator, enabled for the administrator account. On a Windows 10 computer, here are the steps I have to perform to change a username locally and on office365.

On a local domain controller:

Change the username in active directory. I also change the Email address on the general tab and the proxyaddress on the attributes tab (you must have advanced features under view enabled in the ADUC MMC to see this tab).

On the AzureADSync computer/server:

Run the powershell command:

Start-ADSyncSyncCycle -PolicyType delta

On a Windows 10 management computer:

Using Internet Explorer, go to https://outlook.office365.com/ecp/?rfr=Admin_o365&exsvurl=1&mkt=en-US (Exchange Admin Center under the office 365 admin portal), click on Hybrid, click on the bottom link to download and install The Exchange Online PowerShell Module (second button).

Using the new Exchange Online PowerShell Module, run the following powershell commands (the last two connects require MFA; you don’t necessarily need all of this, but i use it to make sure i can perform all the commands i need at the time)

install-msonline
install-azuread
import-module msonline
import-module azuread
connect-exopssession
connect-msolservice

Now you’re authenticated and can change the user principal names to match your local active directory changes:

set-msoluserprincipalname -userprincipalname oldupn@domain.com -newuserprincipalname newupn@domain.com

To do the same thing in the future, start the Exchange Online PowerShell Module, run the two connects and then you can run the set-msoluserprincipalname.

Setting up SSL with Shinobi Video using Let’s Encrypt and Certbot

This help text was compiled using Ubuntu 16.04 server LTS

Install Shinobi using the online documentation

Become a super user

sudo su

Make sure your distribution is up to date

apt-get update
apt-get dist-upgrade

First change the login email address and password for the super user in super.json

Create an md5 hash of your password

echo -n 'password' | md5sum

Copy the result and edit the super.json file replacing the email and password with your info.

cd /home/user/Shinboi
nano super.json

Ctrl O, Enter to Save and Ctrl X to exit

Install certbot

apt-get update
apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

Setup the folder structure you are going to use for certbot

cd /home/user/Shinobi
mkdir certs
cd /home/user/Shinobi/web
mkdir -p .well-known/acme-challenge

Generate the certificate

certbot certonly --webroot -w /home/user/Shinobi/web -d shinobi.website.com

Edit the Shinobi super configuration file to turn on SSL

nano conf.json
{
"port": 80,
"addStorage": [
{
"name": "second",
"path": "__DIR__/videos2"
}
],
"db": {
"host": "127.0.0.1",
"user": "majesticflame",
"password": "",
"database": "ccio",
"port": 3306
},
"mail": {
"service": "gmail",
"auth": {
"user": "your_email@gmail.com",
"pass": "your_password_or_app_specific_password"
}
},
"ssl": {
"key": "/etc/letsencrypt/live/website.ssl.name/privkey.pem",
"cert": "/etc/letsencrypt/live/website.ssl.name/cert.pem",
"port": 443
},

"cron": {

"key": "change_this_to_something_very_random__just_anything_other_than_this"
},
"pluginKeys": {
"Motion": "change_this_to_something_very_random____make_sure_to_match__/plugins/motion/conf.json",
"OpenCV": "change_this_to_something_very_random____make_sure_to_match__/plugins/opencv/conf.json",
"OpenALPR": "SomeOpenALPRkeySoPeopleDontMessWithYourShinobi"
}
}

Ctrl O, Enter to Save and Ctrl X to exit

Edit the Shinobi configuration file to add a static reference to the .well-known folder

nano cameras.js

Hit Ctrl W, type //pages followed by enter to search for //pages

make it look like the below by adding this line of text – app.use('/.well-known',express.static(__dirname + '/web/.well-known'));

////Pages
app.enable('trust proxy');
app.use('/libs',express.static(__dirname + '/web/libs'));
app.use('/.well-known',express.static(__dirname + '/web/.well-known'));
app.use(bodyParser.json());

Ctrl O, Enter to save and Ctrl X to quit

Restart Shinobi

pm2 start camera.js
pm2 start cron.js

Profit

Update 2019/04/02

I had to change the ssl code in the super configuration from the below to what is already above:

"ssl": {
"key": "/home/user/Shinobi/certs/privkey.pem",
"cert": "/home/user/Shinobi/certs/cert.pem",
"port": 443
},

I also changed the certbot command from the below to the above:

certbot certonly --webroot -w /home/user/Shinobi/web -d shinobi.website.com --cert-path /home/user/Shinobi/certs --key-path /home/user/Shinobi/certs --fullchain-path /home/user/Shinobi/certs --chain-path /home/user/Shinobi/certs

Windows Command Line IP Address Assignment

If you want to set a static IP address from the command prompt in Windows, use the following command in an elevated command prompt.

netsh interface ipv4 set address “Local Area Connection” static 10.0.0.55 255.0.0.0 10.0.0.1

where “Local Area Connection” is your network adapter name as shown in the Network and Sharing Center

where 10.0.0.55 is the ip address you wish to assign

where 255.0.0.0 is the subnet mask you wish to assign

where 10.0.0.1 is the default gateway you wish to assign.

Windows 2012 Server LDAP over SSL

The only thing required for Windows 2012 R2 Server LDAP over SSL is a trusted certificate in the personal store for the local machine (not user) and a REBOOT.

You do not need an Active Directory Certificate Authority or a publicly trusted certificate that matches the host name in the Subject or Subject Alternative (DNS) names. What this means is that you can use a public wildcard certificate; or a private wildcard certificate as long as your domain controllers trust the authority that issued it (put the certificate in both your trusted root and personal stores for the domain controllers).

The only other thing I did was add it to the SSL binding for the default site in IIS and then REBOOT. You absolutely have to reboot.

You also have to do this on ALL of your domain controllers.

You can test by using LDP on your domain controller. Connect to the domain controller with the SSL box ticked and the port set to 3269. Just when you think it’s going to time out, it should connect. If not, REBOOT.

Adding a certificate to UniFi Wifi Controller

If anyone is still having trouble with this, I just figured out how to do it using an existing Windows certificate. In my case, we have our own internal Certification Authority, but it will work just the same with a certificate issued by GoDaddy or anyone else.

I’m assuming you already know how to export the certificate using the Certificates MMC snap-in, and that the keytool executable from your installed java package is in the path.

1)      Export PFX certificate with private key and the option “Include all certificates in the certification path if possible”, using password “aircontrolenterprise” (this is important!)

2)      Open a Command Prompt and go to the directory Unifi was installed to then the data directory (example: C:\Users\administrator\Ubiquiti Unifi\data)

3)      Find the alias of your exported certificate by using (use the password from step 1):

keytool -list -keystore c:\path\to\pfx.pfx -storetype pkcs12

It will list the certificate starting with its alias, for example:

Keystore type: PKCS12

Keystore provider: SunJSSE

Your keystore contains 1 entry

le-webserver2003-8f6daf5b-8c89-405f-b3bb-045c58656883, Mar 20, 2013, PrivateKeyEntry,

Certificate fingerprint (MD5): AB:3F:79:FD:F5:1E:B3:69:78:8C:1C:AC:41:B3:29:6B

 The certificate alias in this case is le-webserver2003-8f6daf5b-8c89-405f-b3bb-045c58656883. Use it in place of “src-alias” in the command below (yours will be different).

4)      Rename the existing file called “keystore” to keystore.orig.

5)      Run the following command:

keytool -importkeystore -srcstoretype pkcs12 -srcalias src-alias -srckeystore c:\path\to\pfx.pfx -keystore keystore -destalias unifi

Use the same password from step 1.

6)     Start the UniFi server.

View solution in original post

Installing additional Features on Windows

Here is how you tell windows to install an packaged feature and the source directory to install from.

Elevated Command Prompt:

Dism /online /enable-feature /featurename:NetFx3 /All /Source:<drive>:\sources\sxs /LimitAccess

To get a list of features:

dism /online /get-features

 

Permissions for Redirected Folders Root Folder Share

2.  Set Share Permissions for the Everyone group to Full Control.

3.  Use the following settings for NTFS Permissions:

  • CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only)
  • System – Full Control (Apply onto: This Folder, Subfolders and Files)
  • Domain Admins – Full Control (Apply onto: This Folder, Subfolders and Files)
  • Everyone – Create Folder/Append Data (Apply onto: This Folder Only)
  • Everyone – List Folder/Read Data (Apply onto: This Folder Only)
  • Everyone – Read Attributes (Apply onto: This Folder Only)
  • Everyone – Traverse Folder/Execute File (Apply onto: This Folder Only)